Security: Add Permissions-Policy header capability (at global level) - refs BT#22072

ywarnier · ywarnier · commit ba9d331affbf · 2024-10-01T00:56:23.000+02:00
diff --git a/main/inc/lib/template.lib.php b/main/inc/lib/template.lib.php
@@ -1940,6 +1940,11 @@ private function addHTTPSecurityHeaders()
         if (!empty($setting)) {
             header('Referrer-Policy: '.$setting);
         }
+        // Permissions-Policy
+        $setting = api_get_configuration_value('security_permissions_policy');
+        if (!empty($setting)) {
+            header('Permissions-Policy: '.$setting);
+        }
         // end of HTTP headers security block
     }
 
diff --git a/main/install/configuration.dist.php b/main/install/configuration.dist.php
@@ -635,6 +635,11 @@
 // More info: https://www.chromium.org/updates/same-site
 // Also: https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure
 //$_configuration['security_session_cookie_samesite_none'] = false;
+//
+// Enable Permissions-Policy header
+// More info: https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
+// and also:  https://scotthelme.co.uk/a-new-security-header-feature-policy/
+//$_configuration['security_permissions_policy'] = 'geolocation=(self "https://example.com"), microphone=()';
 // ------ HTTP headers security section ends here
 //
 // ------ Survey configuration settings

Original file line number	Diff line number	Diff line change
`@@ -1940,6 +1940,11 @@ private function addHTTPSecurityHeaders()`
`1940`	`1940`	`if (!empty($setting)) {`
`1941`	`1941`	`header('Referrer-Policy: '.$setting);`
`1942`	`1942`	`}`
	`1943`	`+ // Permissions-Policy`
	`1944`	`+ $setting = api_get_configuration_value('security_permissions_policy');`
	`1945`	`+ if (!empty($setting)) {`
	`1946`	`+ header('Permissions-Policy: '.$setting);`
	`1947`	`+ }`
`1943`	`1948`	`// end of HTTP headers security block`
`1944`	`1949`	`}`
`1945`	`1950`