Good question, and thanks for asking.
I haven’t reached a view on it yet.
I’ve shied away from headers which place too much complexity on the user, or are unlikely to provide substantive security improvement, or will create headaches that can’t be solved by intelligent reading of the console error messages.
For example Content Security Policies, whilst an excellent idea, really need co-ordinated action from WordPress to support than effectively, since the biggest attack surface is the admin console for XSS (and similar issues, CSRF), and that requires all plugins to be covered (or it will break plugin admin and be annoying and people will uninstall – this happens a little already – we struggle against complexity), so it really needs plugins to state their requirements on installation.
If CSP was done centrally any failure due to the CSP is either hacking, or a bug in plugin not stating its requirements, where as currently I’ve been unable to define a particularly effective CSP for my own trivial personal blog, let alone complex sites with multiple plugins.
I’m minded at the moment that Feature Policy is similar, and that the most invasive features for user privacy (like camera and microphone) are already defaulted to prompt the user in all good browsers. Thus you would look to disable Microphone if your site has a subset that permits telephony, but you don’t want a bug elsewhere in the site to permit eavesdropping because the per site permissions are too coarse. If a site doesn’t use microphones I don’t see the win in disabling it further, especially since it can be overridden in an iframe.
It may make sense to have a plugin that simply says “none, none, none..” and can be disabled if you use a feature, but I’m not sure how much that really gains end users in privacy or security.
Please do let me know your views. Especially scenarios where it makes sense, or is a clear win, may make me change my mind, as I haven’t done any thorough thinking or modeling on this.
Whilst I love sites like Security-headers.io (and Scott seems like a nice chap too) which assess security and give easy to understand scores, they are no substitute for thinking through the security gains (and costs). I will only implement the feature if it is a clear win, and not overly complex (I don’t want to be like other security tools that are so complex they introduce their own security flaws (I’ve already had one major bug although it didn’t open up new attack surface).
