$30 off During Our Annual Pro Sale. View Details »

HTTP headers for the responsible developer

stefan judis
March 16, 2019
Technology
5
4.1k

HTTP headers for the responsible developer

stefan judis

March 16, 2019
Tweet

More Decks by stefan judis

See All by stefan judis
Back to boring (part 2)
stefanjudis
0
200
Playwright can do this?
stefanjudis
0
45
Things you should know about Frontend Development in 2022
stefanjudis
0
400
Throw yourself out there for fun and profit
stefanjudis
0
44
Back to Boring
stefanjudis
1
240
Wanna scale up? Make sure your CMS is ready for it!
stefanjudis
0
150
Did we(b development) lose the right direction?
stefanjudis
6
2k
Regular expressions – my secret love
stefanjudis
1
950
Write a Function
stefanjudis
0
420

Other Decks in Technology

See All in Technology
18行のLinuxカーネルモジュールを 作ってみる
sat
PRO
1
110
LINE WORKS 最新メジャーアップデート(v3.8)勉強会
lwug
0
160
CTO of the year 2023ピッチ資料(オーディエンス賞)チューリングCTO青木
aoshun7
0
710
pmconf 2023 プロダクトと事業を無限にスケールするための最強のロードマップの作り方 / The Greatest Roadmap for Unlimited Scaling your Business and Products
yamamuteki
16
9.8k
Micro Frontends for Java Microservices - SF JUG 2023
mraible
PRO
1
220
Garoon 開発チーム / Garoon development team
cybozuinsideout
PRO
0
2.3k
生成AI革命期に求められる無知の知とハッカー精神
shunsukeono_am
0
170
Notionへのデータ移行を成功させる5つのポイント - NIFTY Tech Day 2023
niftycorp
0
140
GoのProtocプラグインを活用した効率的な負荷試験戦略 / Efficient Load Testing Strategies Utilizing the Go Protoc Plugin
biwashi
0
120
JAWS-UG_YOKOHAMA_20231204
hiashisan
0
310
Amazon Bedrock を利用したAIチャットボット開発
yukimatsuyoshi
3
700
SmartHRのマルチプロダクト戦略実行の苦悩と挑戦
h1kita
5
3.5k

Featured

See All Featured
RailsConf 2023
tenderlove
0
360
GitHub's CSS Performance
jonrohan
1021
440k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
2.7k
Debugging Ruby Performance
tmm1
68
11k
Web Components: a chance to create the future
zenorocha
304
41k
Designing with Data
zakiwarfel
93
4.6k
Producing Creativity
orderedlist
PRO
335
38k
Building Your Own Lightsaber
phodgson
97
5.4k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
239
1.2M
Adopting Sorbet at Scale
ufuk
66
8.2k
What's new in Ruby 2.0
geeforr
335
30k
WebSockets: Embracing the real-time Web
robhawkes
58
6.6k

Transcript

  1. @stefanjudis
    HTTP headers for the
    responsible developer

    View Slide

  2. My journey
    on the web

    View Slide

  3. uboot.com

    View Slide

  4. 1999

    View Slide

  5. The web
    connects people

    View Slide

  6. 2010

    View Slide

  7. The web
    connects people

    View Slide

  8. We connect people!
    We enable people!
    We help people!

    View Slide

  9. [he/him]
    @stefanjudis
    www.stefanjudis.com
    Heyo,
    I'm Stefan!

    View Slide

  10. ... and I want to be
    a responsible developer

    View Slide

  11. View Slide

  12. 1999

    View Slide

  13. 2019

    View Slide

  14. 2019

    View Slide

  15. 2019

    View Slide

  16. 2019
    We should be building
    for everybody

    View Slide

  17. "We don't have
    users in/that ..."

    View Slide

  18. "We don't have users in/that ..."

    View Slide

  19. The challenge
    of building
    a "good" website

    View Slide

  20. Design Performance
    Content Accessibility
    Devices
    Network
    Frameworks

    View Slide

  21. Design Performance
    Content Accessibility
    Network
    Frameworks Devices

    View Slide

  22. Let's talk HTTP

    View Slide

  23. https://the-responsible.dev/
    Accept: text/html,application/xhtml+xml,application/xml

    Accept-Encoding: gzip, deflate, br

    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,de;q=0.7
    ...
    Connection: keep-alive
    Content-Type: text/html; charset=utf-8
    Date: Mon, 11 Mar 2019 12:59:38 GMT
    ...
    Response Body

    View Slide

  24. Accept: text/html,application/xhtml+xml,application/xml

    Accept-Encoding: gzip, deflate, br

    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,de;q=0.7
    ...
    https://the-responsible.dev/
    Connection: keep-alive
    Content-Type: text/html; charset=utf-8
    Date: Mon, 11 Mar 2019 12:59:38 GMT
    ...
    Response Body

    View Slide

  25. the-responsible.dev

    View Slide

  26. How can we use headers
    to make this site better?

    View Slide

  27. The web is
    a scary place

    View Slide

  28. thenextweb.com/contributors/2018/03/10/protect-website-cryptojacking-attacks/

    View Slide

  29. shoptalkshow.com/episodes/special-one-one-hacker/

    View Slide

  30. blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident

    View Slide

  31. www.twilio.com/blog/learned-about-security-from-calling-35-contact-centers

    View Slide

  32. www.twilio.com/blog/learned-about-security-from-calling-35-contact-centers
    We always
    rely on others

    View Slide

  33. The web
    has to be safe!

    View Slide

  34. HTTPS

    View Slide

  35. HTTP/2 ServiceWorker
    getUserMedia() ...

    View Slide

  36. whynohttps.com

    View Slide

  37. whynohttps.com

    View Slide

  38. Ensure encryption

    View Slide

  39. Strict-Transport-Security:
    max-age=1000;
    includeSubDomains;
    preload
    Response Header

    View Slide

  40. hstspreload.org

    View Slide

  41. chromium.googlesource.com/chromium/src/net/+/master/http/
    transport_security_state_static.json

    View Slide

  42. View Slide

  43. caniuse.com/#feat=stricttransportsecurity

    View Slide

  44. Upgrade
    HTTP requests

    View Slide

  45. Content-Security-Policy:
    upgrade-insecure-requests
    Response Header

    View Slide

  46. www.chromestatus.com/feature/5557268741357568

    View Slide

  47. Limit what's allowed

    View Slide

  48. requestmap.webperf.tools

    View Slide

  49. base-uri
    block-all-mixed-content
    connect-src
    default-src
    font-src
    form-action
    frame-ancestors
    frame-src
    img-src
    manifest-src
    media-src
    navigate-to
    object-src
    plugin-types
    report-sample
    report-to
    require-sri-for
    sandbox
    script-src
    strict-dynamic
    style-src
    upgrade-insecure-requests
    worker-src
    developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    prefetch-src

    View Slide

  50. content="default-src 'self'; img-src https://*;">

    View Slide

  51. Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-
    inline' 'unsafe-eval' just-comments.com www.google-analytics.com
    production-assets.codepen.io storage.googleapis.com; style-src 'self'
    'unsafe-inline'; img-src 'self' data: images.contentful.com
    images.ctfassets.net www.gravatar.com www.google-analytics.com just-
    comments.com; font-src 'self' data:; connect-src 'self'
    cdn.contentful.com images.contentful.com videos.contentful.com
    images.ctfassets.net videos.ctfassets.net service.just-comments.com
    www.google-analytics.com; media-src 'self' videos.contentful.com
    videos.ctfassets.net; object-src 'self'; frame-src codepen.io; frame-
    ancestors 'self'; worker-src 'self'; block-all-mixed-content; manifest-src
    'self' 'self'; disown-opener; prefetch-src 'self'; report-uri https://
    stefanjudis.report-uri.com/r/d/csp/reportOnly
    Response Header

    View Slide

  52. Content-Security-Policy-Report-Only: default-src 'self'; script-src
    'self' 'unsafe-inline' 'unsafe-eval' just-comments.com www.google-
    analytics.com production-assets.codepen.io storage.googleapis.com;
    style-src 'self' 'unsafe-inline'; img-src 'self' data: images.contentful.com
    images.ctfassets.net www.gravatar.com www.google-analytics.com just-
    comments.com; font-src 'self' data:; connect-src 'self'
    cdn.contentful.com images.contentful.com videos.contentful.com
    images.ctfassets.net videos.ctfassets.net service.just-comments.com
    www.google-analytics.com; media-src 'self' videos.contentful.com
    videos.ctfassets.net; object-src 'self'; frame-src codepen.io; frame-
    ancestors 'self'; worker-src 'self'; block-all-mixed-content; manifest-src
    'self' 'self'; disown-opener; prefetch-src 'self'; report-uri https://
    stefanjudis.report-uri.com/r/d/csp/reportOnly
    Response Header

    View Slide

  53. Content-Security-Policy-Report-Only: default-src 'self'; script-src
    'self' 'unsafe-inline' 'unsafe-eval' just-comments.com www.google-
    analytics.com production-assets.codepen.io storage.googleapis.com;
    style-src 'self' 'unsafe-inline'; img-src 'self' data: images.contentful.com
    images.ctfassets.net www.gravatar.com www.google-analytics.com just-
    comments.com; font-src 'self' data:; connect-src 'self'
    cdn.contentful.com images.contentful.com videos.contentful.com
    images.ctfassets.net videos.ctfassets.net service.just-comments.com
    www.google-analytics.com; media-src 'self' videos.contentful.com
    videos.ctfassets.net; object-src 'self'; frame-src codepen.io; frame-
    ancestors 'self'; worker-src 'self'; block-all-mixed-content; manifest-src
    'self' 'self'; disown-opener; prefetch-src 'self'; report-uri https://
    stefanjudis.report-uri.com/r/d/csp/reportOnly
    Response Header

    View Slide

  54. Report-To: {
    "group": "csp-endpoint",
    "max_age": 10886400,
    "endpoints": [{
    "url": "https://stefanjudis.com/.../csp-report"
    }]
    }

    View Slide

  55. Report-To: {
    "group": "csp-endpoint",
    "max_age": 10886400,
    "endpoints": [{
    "url": "https://stefanjudis.com/.../csp-report"
    }]
    },
    {
    "group": "network-endpoint",
    "max_age": 10886400,
    "endpoints": [{
    "url": "https://stefanjudis.com/.../network-report"
    }]
    },
    {
    "max_age": 10886400,
    "endpoints": [{
    "url": "https://stefanjudis.com/.../general-report"
    }]
    }

    View Slide

  56. developers.google.com/web/updates/2018/09/reportingapi

    View Slide

  57. Content-Security-Policy-Report-Only: default-src 'self'; script-src
    'self' 'unsafe-inline' 'unsafe-eval' just-comments.com www.google-
    analytics.com production-assets.codepen.io storage.googleapis.com;
    style-src 'self' 'unsafe-inline'; img-src 'self' data: images.contentful.com
    images.ctfassets.net www.gravatar.com www.google-analytics.com just-
    comments.com; font-src 'self' data:; connect-src 'self'
    cdn.contentful.com images.contentful.com videos.contentful.com
    images.ctfassets.net videos.ctfassets.net service.just-comments.com
    www.google-analytics.com; media-src 'self' videos.contentful.com
    videos.ctfassets.net; object-src 'self'; frame-src codepen.io; frame-
    ancestors 'self'; worker-src 'self'; block-all-mixed-content; manifest-src
    'self' 'self'; disown-opener; prefetch-src 'self'; report-uri https://
    stefanjudis.report-uri.com/r/d/csp/reportOnly
    Response Header

    View Slide

  58. Content-Security-Policy-Report-Only: default-src 'self'; script-src
    'self' 'unsafe-inline' 'unsafe-eval' just-comments.com www.google-
    analytics.com production-assets.codepen.io storage.googleapis.com;
    style-src 'self' 'unsafe-inline'; img-src 'self' data: images.contentful.com
    images.ctfassets.net www.gravatar.com www.google-analytics.com just-
    comments.com; font-src 'self' data:; connect-src 'self'
    cdn.contentful.com images.contentful.com videos.contentful.com
    images.ctfassets.net videos.ctfassets.net service.just-comments.com
    www.google-analytics.com; media-src 'self' videos.contentful.com
    videos.ctfassets.net; object-src 'self'; frame-src codepen.io; frame-
    ancestors 'self'; worker-src 'self'; block-all-mixed-content; manifest-src
    'self' 'self'; disown-opener; prefetch-src 'self'; report-uri https://
    stefanjudis.report-uri.com/r/d/csp/reportOnly
    Response Header

    View Slide

  59. Content-Security-Policy:
    default-src 'self';
    script-src 'sha256-blL...'
    <br/>console.log('Inline script executing ...');<br/>
    Response Header

    View Slide

  60. Content-Security-Policy:
    default-src 'self';
    script-src 'nonce-abc...'
    <br/>console.log('Inline script executing ...');<br/>
    Response Header

    View Slide

  61. caniuse.com/#feat=contentsecuritypolicy

    View Slide

  62. caniuse.com/#feat=contentsecuritypolicy2
    *
    * not complete

    View Slide

  63. httparchive.org

    View Slide

  64. How many pages
    use CSP?

    View Slide

  65. USE CSP DON'T USE CSP
    94%
    6%

    View Slide

  66. USE CSP DON'T USE CSP
    94%
    6%
    We can do better!

    View Slide

  67. Always monitor your CSP reports
    and "test in production" with
    report-only before enforcing them!
    Troy Hunt

    View Slide

  68. Disallow
    third-party cookies!

    View Slide

  69. Set-Cookie: widget_session=abc123;
    Response Header
    Set-Cookie: ...

    View Slide

  70. Set-Cookie: widget_session=abc123;
    Response Header
    Set-Cookie: ...
    This behaviour leads to
    security and privacy issues

    View Slide

  71. Set-Cookie: widget_session=abc123; SameSite=None; Secure
    Set-Cookie: widget_session=abc123; SameSite=Lax; Secure
    Set-Cookie: widget_session=abc123; SameSite=Strict; Secure
    Response Header

    View Slide

  72. caniuse.com/#feat=same-site-cookie-attribute
    *
    * somewhat ready but maybe buggy

    View Slide

  73. web.dev/samesite-cookies-explained

    View Slide

  74. the-responsible.dev/safe/

    View Slide

  75. The web is crucial
    for people.

    View Slide

  76. Your sh** doesn't
    work in Africa.
    William Imoh

    View Slide

  77. View Slide

  78. You get 6MB for 2Euros
    but you have only 24h to
    use them! Right...

    View Slide

  79. whatdoesmysitecost.com

    View Slide

  80. The web
    has to be affordable!

    View Slide

  81. Don't request
    the same content
    over and over again

    View Slide

  82. Cache-Control:
    max-age=31536000, public, immutable
    Response Header

    View Slide

  83. immutable
    developer.mozilla.org/en-US/docs/Web/HTTP/
    Headers/Cache-Control

    View Slide

  84. csswizardry.com/2019/03/cache-control-for-civilians/

    View Slide

  85. Send the right data

    View Slide

  86. Accept-Encoding:
    gzip, deflate, br
    Request Header

    View Slide

  87. View Slide

  88. View Slide

  89. But Brotli compression
    is so slow!

    View Slide

  90. GZIP Brotli
    vs
    Default
    Mode
    6
    11

    View Slide

  91. GZIP Brotli
    Default
    Mode
    vs
    6
    11

    View Slide

  92. GZIP Brotli
    Optimal
    middle
    ground
    vs
    6
    4

    View Slide

  93. GZIP Brotli
    Optimal
    middle
    ground
    vs
    6
    4
    Brotli tends to
    compress better
    with the same speed

    View Slide

  94. GZIP Brotli
    Optimal
    middle
    ground
    vs
    6
    4
    You don't have
    to do it on the fly...

    View Slide

  95. blogs.akamai.com/2016/02/understanding-brotlis-potential.html

    View Slide

  96. caniuse.com/#feat=brotli

    View Slide

  97. View Slide

  98. View Slide

  99. Serve tailored media

    View Slide



  100. media="(min-width: 50em)"
    sizes="50vw"
    srcset="/image/thing-200.webp 200w, /image/thing-400.webp 400w,
    /image/thing-800.webp 800w, /image/thing-1200.webp 1200w,
    /image/thing-1600.webp 1600w, /image/thing-2000.webp 2000w"
    type="image/webp">
    sizes="(min-width: 30em) 100vw"
    srcset="/image/thing-crop-200.webp 200w, /image/thing-crop-400.webp 400w,
    /image/thing-crop-800.webp 800w, /image/thing-crop-1200.webp 1200w,
    /image/thing-crop-1600.webp 1600w, /image/thing-crop-2000.webp 2000w"
    type="image/webp">

    media="(min-width: 50em)"
    sizes="50vw"
    srcset="/image/thing-200.jpg 200w, /image/thing-400.jpg 400w,
    /image/thing-800.jpg 800w, /image/thing-1200.jpg 1200w,
    /image/thing-1600.jpg 1600w, /image/thing-2000.jpg 2000w">
    sizes="(min-width: 30em) 100vw"

    View Slide

  101. /image/thing-800.webp 800w, /image/thing-1200.webp 1200w,
    /image/thing-1600.webp 1600w, /image/thing-2000.webp 2000w"
    type="image/webp">
    sizes="(min-width: 30em) 100vw"
    srcset="/image/thing-crop-200.webp 200w, /image/thing-crop-400.webp 400w,
    /image/thing-crop-800.webp 800w, /image/thing-crop-1200.webp 1200w,
    /image/thing-crop-1600.webp 1600w, /image/thing-crop-2000.webp 2000w"
    type="image/webp">

    media="(min-width: 50em)"
    sizes="50vw"
    srcset="/image/thing-200.jpg 200w, /image/thing-400.jpg 400w,
    /image/thing-800.jpg 800w, /image/thing-1200.jpg 1200w,
    /image/thing-1600.jpg 1600w, /image/thing-2000.jpg 2000w">
    sizes="(min-width: 30em) 100vw"
    srcset="/image/thing-crop-200.jpg 200w, /image/thing-crop-400.jpg 400w,
    /image/thing-crop-800.jpg 800w, /image/thing-crop-1200.jpg 1200w,
    /image/thing-crop-1600.jpg 1600w, /image/thing-crop-2000.jpg 2000w">



    View Slide

  102. Accept:
    image/webp,
    image/apng,
    image/*,*/*;q=0.8
    Request Header

    View Slide

  103. caniuse.com/#feat=webp

    View Slide

  104. Accept-CH: Width, Viewport-Width
    Accept-CH-Lifetime: 100
    Request URL: https://.../header.jpg

    Viewport-Width: 980
    Width: 980

    View Slide


  105. Accept: image/webp,image/apng,image/*,*/*;q=0.8

    Request URL: https://.../header.jpg

    Viewport-Width: 980
    Width: 980

    View Slide


  106. Accept: image/webp,image/apng,image/*,*/*;q=0.8

    Request URL: https://.../header.jpg

    Viewport-Width: 980
    Width: 1960

    View Slide


  107. Accept: image/webp,image/apng,image/*,*/*;q=0.8

    Request URL: https://.../header.jpg

    Viewport-Width: 980
    Width: 1064
    Serve a tailored version
    via server/service worker

    View Slide

  108. speaking.jeremy.codes/yD4dKY/take-a-client-hint

    View Slide

  109. www.zdnet.com/article/privacy-concerns-raised-about-upcoming-client-hints-web-standard/

    View Slide

  110. Sec-CH-UA: "Examplary Browser"; v="73"
    Accept-CH: UA, Platform
    Sec-CH-UA: "Examplary Browser"; v="73.3R8.2H.1"
    Sec-CH-UA-Platform: "Windows"; v="10"

    View Slide

  111. wicg.github.io/ua-client-hints/

    View Slide

  112. Save data

    View Slide

  113. save-data: on
    if ("connection" in navigator) {
    if (navigator.connection.saveData === true) {
    // Implement data saving operations here.
    }
    }
    Request Header

    View Slide

  114. View Slide

  115. Let's use the platform
    and make these
    features more visible

    View Slide

  116. https://....
    Save
    data?

    View Slide

  117. https://....
    Save
    data?
    We should provide an
    easy way to save data!

    View Slide

  118. Save
    data?
    https://....
    Prefer reduced
    motion?
    Prefer a dark
    interface?

    View Slide

  119. Save
    data?
    https://....
    Reduced
    Motion?
    Dark colour
    Scheme?
    All these settings should
    be easily accessible all
    the time!

    View Slide

  120. View Slide

  121. blog.chromium.org/2019/03/chrome-lite-pages-for-faster-leaner.html

    View Slide

  122. blog.chromium.org/2019/03/chrome-lite-pages-for-faster-leaner.html
    I'm not sure
    how I feel about that...

    View Slide

  123. Cache-Control:
    max-age=31536000, public, no-transform
    Response Header

    View Slide

  124. Be aware of CDNs and
    proxies – use vary

    View Slide

  125. View Slide

  126. Should browsers or
    developers optimise?

    View Slide

  127. The browser can only
    optimise to a certain
    extend...

    View Slide

  128. View Slide

  129. 20% of requests...

    View Slide

  130. https:/
    /nooshu.github.io/blog/2019/09/01/speeding-up-the-web-with-save-data-header/

    View Slide

  131. Less Data Doesn't Mean
    a Lesser Experience
    Tim Kadlec

    View Slide

  132. the-responsible.dev/affordable/

    View Slide

  133. The web is
    with us every day

    View Slide

  134. 2018.bloomca.me

    View Slide

  135. It has to be respectful!

    View Slide

  136. Get stuff "down" as
    quickly as possible

    View Slide

  137. Link:
    ; rel=preload; as=image; no-push

    Response Header

    View Slide

  138. Link:
    ; rel=preload; as=image; no-push

    Response Header
    This is great to speed
    up critical resources

    View Slide

  139. caniuse.com/#feat=link-rel-preload
    *
    * behind a flag

    View Slide

  140. Don't annoy the user
    (aka. the AMP reaction)

    View Slide

  141. speakerdeck.com/stefanjudis/amp-tries-to-fix-the-web-what-can-we-learn-from-it?slide=112

    View Slide

  142. Feature-Policy:
    vibrate 'none'; geolocation 'none'
    Response Header

    View Slide

  143. accelerometer
    ambient-light-sensor
    autoplay
    camera
    document-domain
    encrypted-media
    fullscreen
    geolocation
    gyroscope
    layout-animations
    legacy-image-formats
    magnetometer
    microphone
    midi
    oversized-images
    payment
    picture-in-picture
    speaker
    sync-xhr
    unoptimized-images
    unsized-media
    usb
    vibrate
    vr
    developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy

    View Slide

  144. accelerometer
    ambient-light-sensor
    autoplay
    camera
    document-domain
    encrypted-media
    fullscreen
    geolocation
    gyroscope
    layout-animations
    legacy-image-formats
    magnetometer
    microphone
    midi
    oversized-images
    payment
    picture-in-picture
    speaker
    sync-xhr
    unoptimized-images
    unsized-media
    usb
    vibrate
    vr
    developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy

    View Slide

  145. accelerometer
    ambient-light-sensor
    autoplay
    camera
    document-domain
    encrypted-media
    fullscreen
    geolocation
    gyroscope
    layout-animations
    legacy-image-formats
    magnetometer
    microphone
    midi
    oversized-images
    payment
    picture-in-picture
    speaker
    sync-xhr
    unoptimized-images
    unsized-media
    usb
    vibrate
    vr
    developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy

    View Slide

  146. tiny-helpers.dev

    View Slide

  147. src="/screenshots/{{ item.slug }}@2.jpg"
    alt="Screenshot of {{ item.name }}"
    loading="lazy">
    src="/screenshots/{{ item.slug }}@2.jpg"
    alt="Screenshot of {{ item.name }}"
    width="1000"
    height="600"
    loading="lazy">

    View Slide

  148. tiny-helpers.dev

    View Slide

  149. www.youtube.com/watch?v=4-d_SoCHeWE

    View Slide

  150. www.youtube.com/watch?v=4-d_SoCHeWE
    Define width & height
    to avoid jumpy pages

    View Slide

  151. View Slide

  152. new ReportingObserver((reports, observer) => {
    reports.forEach(({type, url, body}) => {
    console.log(type, url);
    // 'feature-policy-violation', https://some-url.com/...
    console.log(body);
    // {
    // featureId: 'oversized-images',
    // sourceFile: 'https://path-to-image/...
    // ...
    // }
    });
    }, {types: ['feature-policy-violation'], buffered: true}).observe();

    View Slide

  153. Report-To: {
    "max_age": 10886400,
    "endpoints": [{
    "url": "https://stefanjudis.com/.../general-report"
    }]
    }

    View Slide

  154. timkadlec.com/remembers/2020-02-20-in-browser-performance-linting-with-feature-policies/

    View Slide

  155. feature-policy: accelerometer 'none'; camera
    'none'; geolocation 'none'; gyroscope 'none';
    magnetometer 'none'; microphone 'none';
    payment 'none'; usb 'none'
    Response Header

    View Slide


  156. document.featurePolicy.allowedFeatures();
    // → ["geolocation", "midi", ...]
    document.featurePolicy.allowsFeature('geolocation');
    // → true
    document.featurePolicy.getAllowlistForFeature('geolocation');
    // → ["https://example.com"]

    View Slide

  157. What happened to the
    most annoying one?

    View Slide

  158. github.com/w3c/webappsec-feature-policy/issues/243

    View Slide

  159. blog.chromium.org/2020/01/introducing-quieter-permission-ui-for.html

    View Slide

  160. caniuse.com/#feat=feature-policy
    ** support only for allow on iframes
    **
    * support for Feature-Policy header,
    allow on iframes, and JS API behind a flag
    * * *
    **

    View Slide

  161. Respect privacy

    View Slide

  162. View Slide

  163. caniuse.com/#feat=do-not-track

    View Slide

  164. webkit.org/blog/8594/release-notes-for-safari-technology-preview-75/

    View Slide

  165. caniuse.com/#feat=do-not-track

    View Slide

  166. caniuse.com/#feat=do-not-track
    It was a nice try,
    but I don't really see
    that happening...

    View Slide

  167. View Slide

  168. View Slide

  169. View Slide

  170. View Slide

  171. www.xanjero.com/news/samsung-internet-beta-version-9-2-now-includes-oneui-design-smart-
    anti-tracking-and-more-features/

    View Slide

  172. webkit.org/blog/category/privacy/

    View Slide

  173. www.engadget.com/2019/11/04/chromium-edge-browser-release-date/

    View Slide

  174. The next browser war
    is on its way...

    View Slide

  175. the-responsible.dev/respectful/

    View Slide

  176. Building for
    the web is very hard

    View Slide

  177. Design Performance
    Content Accessibility
    Devices
    Network
    Frameworks

    View Slide

  178. Lighthouse

    View Slide

  179. webhint.io

    View Slide

  180. If you want to get a more
    complete overview...

    View Slide

  181. www.twilio.com/blog/a-http-headers-for-the-responsible-developer

    View Slide

  182. securityheaders.com

    View Slide

  183. schepp.github.io/HTTP-headers

    View Slide

  184. youtu.be/II9m9_esNZc

    View Slide

  185. The web has to be
    safe...

    View Slide

  186. The web has to be
    safe, affordable...

    View Slide

  187. The web has to be
    safe, affordable and
    respectful...

    View Slide

  188. ... so that it really is

    for everybody!

    View Slide

  189. @stefanjudis
    www.stefanjudis.com
    Thanks.
    Slides:

    my-links.online/the-responsible-dev

    View Slide

  190. @stefanjudis
    www.stefanjudis.com
    Thanks.
    Slides:

    my-links.online/the-responsible-dev I have some stickers!

    View Slide