-
-
Notifications
You must be signed in to change notification settings - Fork 639
/
permissions-policy.conf
47 lines (45 loc) · 1.73 KB
/
permissions-policy.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# ----------------------------------------------------------------------
# | Permissions Policy |
# ----------------------------------------------------------------------
# Set a strict Permissions Policy to mitigate access to browser features.
#
# The header uses a structured syntax, and allows sites to more tightly
# restrict which origins can be granted access to features.
# The list of available features: https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md
#
# The example policy below aims to disable all features expect synchronous
# `XMLHttpRequest` requests on the same origin.
#
# To check your Permissions Policy, you can use an online service, such as:
# https://securityheaders.com/
# https://observatory.mozilla.org/
#
# https://www.w3.org/TR/permissions-policy-1/
# https://owasp.org/www-project-secure-headers/#permissions-policy
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
# https://scotthelme.co.uk/a-new-security-header-feature-policy/
<IfModule mod_headers.c>
Header always set Permissions-Policy "\
accelerometer=(),\
autoplay=(),\
browsing-topics=(),\
camera=(),\
display-capture=(),\
document-domain=(),\
encrypted-media=(),\
fullscreen=(),\
geolocation=(),\
gyroscope=(),\
magnetometer=(),\
microphone=(),\
midi=(),\
payment=(),\
picture-in-picture=(),\
publickey-credentials-get=(),\
screen-wake-lock=(),\
sync-xhr=(self),\
usb=(),\
web-share=(),\
xr-spatial-tracking=()\
" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
</IfModule>