From 36310b927b167ef8561dc6407ab9707038b804c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9o=20Colombaro?= <git@colombaro.fr>
Date: Mon, 28 Jun 2021 14:29:20 +0200
Subject: [PATCH] Add `Permissions-Policy` header

Ref https://github.com/h5bp/server-configs-apache/issues/179
---
 h5bp/security/permissions-policy.conf | 23 +++++++++++++++++++++++
 nginx.conf                            |  8 +++++++-
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 h5bp/security/permissions-policy.conf

diff --git a/h5bp/security/permissions-policy.conf b/h5bp/security/permissions-policy.conf
new file mode 100644
index 0000000..00bdedf
--- /dev/null
+++ b/h5bp/security/permissions-policy.conf
@@ -0,0 +1,23 @@
+# ----------------------------------------------------------------------
+# | Permissions Policy                                                 |
+# ----------------------------------------------------------------------
+
+# Set a strict Permissions Policy to mitigate access to browser features.
+#
+# The header uses a structured syntax, and allows sites to more tightly
+# restrict which origins can be granted access to features.
+# The list of available features: https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md
+#
+# The example policy below aims to disable all features expect synchronous
+# `XMLHttpRequest` requests on the same origin.
+#
+# To check your Permissions Policy, you can use an online service, such as:
+# https://securityheaders.com/
+# https://observatory.mozilla.org/
+#
+# https://www.w3.org/TR/permissions-policy-1/
+# https://owasp.org/www-project-secure-headers/#permissions-policy
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
+# https://scotthelme.co.uk/a-new-security-header-feature-policy/
+
+add_header Permissions-Policy $permissions_policy always;
diff --git a/nginx.conf b/nginx.conf
index cbb4a3e..6b136db 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -108,8 +108,14 @@ http {
     ~*text/(html|javascript)|application/pdf|xml "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; object-src 'none'; upgrade-insecure-requests";
   }
 
+  # Add Permissions-Policy for HTML documents.
+  # h5bp/security/permissions-policy.conf
+  map $sent_http_content_type $permissions_policy {
+    ~*text/(html|javascript)|application/pdf|xml "accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()";
+  }
+
   # Add Referrer-Policy for HTML documents.
-  # h5bp/security/referrer-policy.conf.conf
+  # h5bp/security/referrer-policy.conf
   map $sent_http_content_type $referrer_policy {
     ~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin";
   }