From ba9d331affbfc2f0248ce81f858ae66e4825ba35 Mon Sep 17 00:00:00 2001
From: Yannick Warnier <ywarnier@beeznest.org>
Date: Tue, 1 Oct 2024 00:56:23 +0200
Subject: [PATCH] Security: Add Permissions-Policy header capability (at global
 level) - refs BT#22072

---
 main/inc/lib/template.lib.php       | 5 +++++
 main/install/configuration.dist.php | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/main/inc/lib/template.lib.php b/main/inc/lib/template.lib.php
index b8cca15edd..83121e6796 100755
--- a/main/inc/lib/template.lib.php
+++ b/main/inc/lib/template.lib.php
@@ -1940,6 +1940,11 @@ class Template
         if (!empty($setting)) {
             header('Referrer-Policy: '.$setting);
         }
+        // Permissions-Policy
+        $setting = api_get_configuration_value('security_permissions_policy');
+        if (!empty($setting)) {
+            header('Permissions-Policy: '.$setting);
+        }
         // end of HTTP headers security block
     }
 
diff --git a/main/install/configuration.dist.php b/main/install/configuration.dist.php
index b85e130188..767d99f168 100644
--- a/main/install/configuration.dist.php
+++ b/main/install/configuration.dist.php
@@ -635,6 +635,11 @@ ALTER TABLE sys_announcement ADD COLUMN visible_boss INT DEFAULT 0;
 // More info: https://www.chromium.org/updates/same-site
 // Also: https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure
 //$_configuration['security_session_cookie_samesite_none'] = false;
+//
+// Enable Permissions-Policy header
+// More info: https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
+// and also:  https://scotthelme.co.uk/a-new-security-header-feature-policy/
+//$_configuration['security_permissions_policy'] = 'geolocation=(self "https://example.com"), microphone=()';
 // ------ HTTP headers security section ends here
 //
 // ------ Survey configuration settings