From 4bc02e643fa9da84e69a1071aa5a0d70b4a310ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= <tdiot@bunkerity.com>
Date: Wed, 19 Jun 2024 13:34:11 +0100
Subject: [PATCH] chore: Add X-DNS-Prefetch-Control header + Update
 Strict-Transport-Security default value + add the Public-Key-Pins as removed
 header by default + Add the DISABLE_FLOC setting to control if we want to
 allow Federated Learning of Cohorts or not

---
 src/common/core/headers/headers.lua |  6 ++++++
 src/common/core/headers/plugin.json | 25 ++++++++++++++++++++++---
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/src/common/core/headers/headers.lua b/src/common/core/headers/headers.lua
index af44574b6..3d04c40f2 100644
--- a/src/common/core/headers/headers.lua
+++ b/src/common/core/headers/headers.lua
@@ -22,6 +22,7 @@ function headers:initialize(ctx)
 		["X_FRAME_OPTIONS"] = "X-Frame-Options",
 		["X_CONTENT_TYPE_OPTIONS"] = "X-Content-Type-Options",
 		["X_XSS_PROTECTION"] = "X-XSS-Protection",
+		["X_DNS_PREFETCH_CONTROL"] = "X-DNS-Prefetch-Control",
 	}
 	-- Load data from datastore if needed
 	if get_phase() ~= "init" then
@@ -95,6 +96,11 @@ function headers:header()
 					and self.variables["CONTENT_SECURITY_POLICY_REPORT_ONLY"] == "yes"
 				then
 					ngx_header["Content-Security-Policy-Report-Only"] = self.variables[variable]
+				elseif header == "Permissions-Policy" then
+					ngx_header[header] = self.variables[variable]
+					if self.variables["DISABLE_FLOC"] == "yes" then
+						ngx_header[header] = ngx_header[header] .. "; interest-cohort=()"
+					end
 				else
 					ngx_header[header] = self.variables[variable]
 				end
diff --git a/src/common/core/headers/plugin.json b/src/common/core/headers/plugin.json
index dfb5a5ed1..97563074d 100644
--- a/src/common/core/headers/plugin.json
+++ b/src/common/core/headers/plugin.json
@@ -17,7 +17,7 @@
     },
     "REMOVE_HEADERS": {
       "context": "multisite",
-      "default": "Server Expect-CT X-Powered-By X-AspNet-Version X-AspNetMvc-Version",
+      "default": "Server Expect-CT X-Powered-By X-AspNet-Version X-AspNetMvc-Version Public-Key-Pins",
       "help": "Headers to remove (Header1 Header2 Header3 ...)",
       "id": "remove-headers",
       "label": "Remove headers",
@@ -35,7 +35,7 @@
     },
     "STRICT_TRANSPORT_SECURITY": {
       "context": "multisite",
-      "default": "max-age=31536000",
+      "default": "max-age=31536000; includeSubDomains; preload",
       "help": "Value for the Strict-Transport-Security header.",
       "id": "strict-transport-security",
       "label": "Strict-Transport-Security",
@@ -90,13 +90,22 @@
     },
     "PERMISSIONS_POLICY": {
       "context": "multisite",
-      "default": "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()",
+      "default": "accelerometer=(), ambient-light-sensor=(), attribution-reporting=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), compute-pressure=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()",
       "help": "Value for the Permissions-Policy header.",
       "id": "permissions-policy",
       "label": "Permissions-Policy",
       "regex": "^(?![, ])(,? ?([a-z\\-]+)(?!.*[^\\-]\\2=)=(\\*|\\(( ?(self|\\u0022https?:\\/\\/[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*\\u0022)(?=[ \\)]))*\\)))*$",
       "type": "text"
     },
+    "DISABLE_FLOC": {
+      "context": "multisite",
+      "default": "yes",
+      "help": "Disable FLoC (Federated Learning of Cohorts) by adding the interest-cohort=() directive to the Permissions-Policy header.",
+      "id": "disable-floc",
+      "label": "Disable FLoC (Federated Learning of Cohorts)",
+      "regex": "^(yes|no)$",
+      "type": "check"
+    },
     "X_FRAME_OPTIONS": {
       "context": "multisite",
       "default": "SAMEORIGIN",
@@ -125,6 +134,16 @@
       "label": "X-XSS-Protection",
       "regex": "^0|1(; (mode=block|report=https?:\\/\\/[\\-\\w@:%.+~#=]+[\\-\\w\\(\\)!@:%+.~#?&\\/=$]*))?$",
       "type": "text"
+    },
+    "X_DNS_PREFETCH_CONTROL": {
+      "context": "multisite",
+      "default": "off",
+      "help": "Value for the X-DNS-Prefetch-Control header.",
+      "id": "x-dns-prefetch-control",
+      "label": "X-DNS-Prefetch-Control",
+      "regex": "^(on|off)$",
+      "type": "select",
+      "select": ["on", "off"]
     }
   }
 }