27Kas
HTTP Headers: Document Policy vs. Permissions-Policy/Feature-Policy
I'm checking the options to harden my web app by setting the appropriate HTTP headers.
Besides the Content Security Policy (CSP) there are two another approaches: Document Policy and Permissions-Policy (Feature-Policy).
I've checked the W3C Relation to Feature Policy documentation, but still can't grasp the clear answer wherever I need to set both policies: Document and Permissions or it is overshooting and it's enough to set just Permissions-Policy?
P.S. Feel free to forward this question to the SE's Web Applications or StackOverflow portals, if the question doesn't fit so much this portal.
