A Feature Policy plugin for hapi.
In Afrikaans the word Funksie means feature and it sounds similar to blankie a repo from which a lot of the code was taken
Feature policy is a HTTP response header that when set allows you to control which origins can use which features, both in the top-level page and in embedded frames.
Feature Policy provides a mechanism to explicitly declare what functionality is used (or not used), throughout your website. With Feature Policy, you opt-in to a set of "policies" for the browser to enforce on specific features used throughout a website. These policies restrict what APIs the site can access or modify the browser's default behavior for certain features.
Examples of what you can do with Feature Policy:
- Change the default behavior of autoplay on mobile and third party videos.
- Restrict a site from using sensitive APIs like magnetometer or microphone.
- Controls whether the current document is allowed to use the Payment Request API. If all your products and services are free, you can set this to
none
Here's a link to the complete list.
This plugin depends on scooter to function.
To use it:
'use strict';
const Hapi = require('@hapi/hapi');
const Funksie = require('funksie');
const Scooter = require('@hapi/scooter');
const internals = {};
const server = Hapi.server();
internals.init = async () => {
await server.register([Scooter, {
plugin: Funksie,
options: {} // specify options here
}]);
await server.start();
};
internals.init().catch((err) => {
throw err;
});
Options may also be set on a per-route basis:
'use strict';
const Hapi = require('@hapi/hapi');
const Funksie = require('funksie');
const Scooter = require('@hapi/scooter');
const server = Hapi.server();
server.route({
method: 'GET',
path: '/capture',
config: {
handler: (request, h) => {
return 'capturing this';
},
plugins: {
funksie: {
cameraSrc: 'self'
}
}
}
});
Note that this setting will NOT be merged with your server-wide settings.
You may also set config.plugins.funksie
equal to false
on a route to disable Feature-Policy headers completely for that route.
accelerometerSrc
: Values for theaccelerometer
directive. Defaults to 'none'.ambientLightSensorSrc
: Values for theambient-light-sensor
directive.autoplaySrc
: Values for theautoplay
directive.batterySrc
: Values for thebattery
directive. Defaults to 'none'.cameraSrc
: Values for thecamera
directive. Defaults to 'none'.displayCaptureSrc
: Values for thedisplay-capture
directive.documentDomainSrc
: Values for thedocument-domain
directive.encryptedMediaSrc
: Values for theencrypted-media
directive.fullscreenSrc
: Values for thefullscreen
directive.geolocationSrc
: Values for thegeolocation
directive. Defaults to 'none'.gyroscopeSrc
: Values for thegyroscope
directive. Defaults to 'none'.layoutAnimationsSrc
: Values for thelayout-animations
directive.legacyImageFormatsSrc
: Values for thelegacy-image-formats
directive.magnetometerSrc
: Values for themagnetometer
directive. Defaults to 'none'.microphoneSrc
: Values for themicrophone
directive. Defaults to 'none'.midiSrc
: Values for themidi
directive.oversizedImagesSrc
: Values for theoversized-images
directive.paymentSrc
: Values for thepayment
directive. Defaults to 'none'.pictureInPictureSrc
: Values for thepicture-in-picture
directive.publickeyCredentialsGetSrc
: Values for thepublickey-credentials-get
directive.syncXhrSrc
: Values for thesync-xhr
directive.usbSrc
: 'Values for theusb
directive.vrSrc
: Values for thevr
directive.wakeLockSrc
: Values for thewake-lock
directive.xrSpatialTrackingSrc
: Values for thexr-spatial-tracking
directive.reportUri
: Value for thereport-uri
directive. This should be the path to a route that accepts Feature-Policy violation reports.