THREESCALE-11928: Support Permissions-Policy header

[jlledom]

What this PR does / why we need it:

This PR allows the user to set their desired value for the Permissions-Policy header as a yaml file. Example

base: &default
  admin_portal:
    enabled: true
    policy:
      camera: ["'none'"]
      microphone: ["'none'"]
      geolocation: ["'self'"]
      usb: ["'none'"]
      payment: ["'none'"]
      fullscreen: ["'self'"]
  developer_portal:
    enabled: true
    policy: {}

With this config, the user can set:

• One policy for the admin portal
• One policy for all developer portals

The code here is very similar to what I did in #4185. I told claude to get inspiration from that PR and adapt it for permissions policy, since the rails backend for both headers is shared. My plan is to make a few changes before both PRs are merged to try to remove a bit of duplication.

Like in the CSP PR, the changes here are:

• Read the new config file from application.rb
• New config loader classes, for convenience.
• Update the initializer, to get the global config from the config class.
• New middleware to set a different policy for the developer portal.

Which issue(s) this PR fixes

https://issues.redhat.com/browse/THREESCALE-11928

Verification steps

A fast way to test this is:

1. Set the desired config from the yaml file for both admin and dev portal
2. Visit the portals and verify with the browser dev tools that the header is actually there
3. Take one permission, for example geolocation, and ask that permission via browser console:

navigator.geolocation.getCurrentPosition(                                                                                                                                                                                        
  pos => console.log('Allowed:', pos),                                                                                                                                                                                           
  err => console.log('Blocked:', err.message)                                                                                                                                                                                    
);

When forbidden, you should see the error in the console; when allowed, you should a prompt from the browser asking for permission.

Special notes for your reviewer:

A couple of comments:

1. The header was originally called Feature-Policy but was recently renamed to Permissions-Policy with a few additional features. Rails only supports the old one, so that's the header we see in the request, future Rails versions should add support for the new header.
2. Neither old or new headers are not supported for Firefox, so this can actually be tested only on Chrome/Chormium.

• https://caniuse.com/mdn-http_headers_feature-policy
• https://caniuse.com/mdn-http_headers_permissions-policy

[akostadinov]

Another config file 🤮

[jlledom]

Another config file 🤮

Thanks for your feed-back 😉.

This config file and CSP one are optional, you can not provide them and everything should work as before. Don't say I don't care about you.