From 4bb616e1c4d47e4dccda07cbc4b657732a9ff5c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Fri, 20 Dec 2024 15:31:22 +0100 Subject: [PATCH] feat: add Permissions-Policy header to enhance security controls --- src/ui/main.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/ui/main.py b/src/ui/main.py index 1cd49fab6..29221fa2e 100644 --- a/src/ui/main.py +++ b/src/ui/main.py @@ -418,6 +418,11 @@ def set_security_headers(response): # * Referrer-Policy header to prevent leaking of sensitive data response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin" + # * Permissions-Policy header to prevent unwanted behavior + response.headers["Permissions-Policy"] = ( + "accelerometer=(), ambient-light-sensor=(), attribution-reporting=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), compute-pressure=(), display-capture=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=(), interest-cohort=()" + ) + if not request.path.startswith(("/css/", "/img/", "/js/", "/json/", "/fonts/", "/libs/")) and current_user.is_authenticated and "session_id" in session: executor.submit(mark_user_access, session["session_id"])