Since HeadersConfigurer#featurePolicy is marked as deprecated, it appears that the same should apply to HeadersDsl#featurePolicy.
Comment From: eleftherias
Thanks @vpavic. This was already done in fa77f4c.
Comment From: vpavic
I'm observing this with 5.5.1 and the change's definitely not there in the 5.5.x branch:
https://github.com/spring-projects/spring-security/blob/5.5.x/config/src/main/kotlin/org/springframework/security/config/web/servlet/HeadersDsl.kt#L153-L166
Comment From: eleftherias
The fix was done after the 5.5.0 release, so it will be in 5.6.0. Ideally it would have been part of 5.5.0, but since it wasn't, I don't think we should backport a deprecation in a patch release.
Comment From: vpavic
IMO that reasoning doesn't really make sense because the feature policy header deprecation status is observed differently depending on what configuration method you're using hence this really is a bug.
If you're uneasy about adding deprecations in a patch release (I don't see a big issue there) maybe you can revert the ones that got in the 5.5.x. Either way, the status quo (i.e. inconsistency) is the least acceptable to me because it causes confusion.
Regardless of what you decide to do here, the way this was handled in fa77f4c isn't optimal because that commit referenced #9262 which was a part of an already published release, so those added deprecations (if not tied to an issue) won't be visible anywhere in the release notes.