replace Feature-Policy with Permissions-Policy header. fix elabftw/el…

…abftw#4881
elabftw · Jan 26, 2024 · 8a46a71 · 8a46a71
1 parent 6df60be
commit 8a46a71
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@
 * Fix `/etc/ssl/cert.pem` not in `open_basedir`
 * Update composer to 2.6.6
 * Disable ``open_basedir`` in dev mode
+* Replace Feature-Policy response header with Permissions-Policy and allow self for camera and microphone See https://github.com/elabftw/elabftw/issues/4881
 
 # 4.7.0
 

diff --git a/src/nginx/common.conf b/src/nginx/common.conf
@@ -122,7 +122,7 @@ more_set_headers "X-XSS-Protection: 0";
 more_set_headers "X-Content-Type-Options: nosniff";
 more_set_headers "Content-Security-Policy: default-src 'self' data:; script-src 'self' %UNSAFE-EVAL4DEV%; connect-src 'self' blob: https://get.elabftw.net; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'self'; base-uri 'none'; frame-ancestors 'none'";
 more_set_headers "Referrer-Policy: no-referrer";
-more_set_headers "Feature-Policy: autoplay 'none'; camera 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; microphone 'none'; midi 'none'; payment 'none'; vr 'none'";
+more_set_headers "Permissions-Policy: autoplay 'none'; camera 'self'; document-domain 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; microphone 'self'; midi 'none'; payment 'none'; vr 'none'";
 more_set_headers "Vary: Accept-Encoding";
 more_set_headers "Server: %SERVER_HEADER%";
 # optional Access-Control-Allow-Origin header