Add Permissions-Policy header

Ref h5bp/server-configs-apache#179

h5bp/security/permissions-policy.conf

@@ -0,0 +1,23 @@
+# ----------------------------------------------------------------------
+# | Permissions Policy                                                 |
+# ----------------------------------------------------------------------
+
+# Set a strict Permissions Policy to mitigate access to browser features.
+#
+# The header uses a structured syntax, and allows sites to more tightly
+# restrict which origins can be granted access to features.
+# The list of available features: https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md
+#
+# The example policy below aims to disable all features expect synchronous
+# `XMLHttpRequest` requests on the same origin.
+#
+# To check your Permissions Policy, you can use an online service, such as:
+# https://securityheaders.com/
+# https://observatory.mozilla.org/
+#
+# https://www.w3.org/TR/permissions-policy-1/
+# https://owasp.org/www-project-secure-headers/#permissions-policy
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
+# https://scotthelme.co.uk/a-new-security-header-feature-policy/
+
+add_header Permissions-Policy $permissions_policy always;

nginx.conf

@@ -108,8 +108,14 @@ http {
     ~*text/(html|javascript)|application/pdf|xml "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; object-src 'none'; upgrade-insecure-requests";
   }
 
+  # Add Permissions-Policy for HTML documents.
+  # h5bp/security/permissions-policy.conf
+  map $sent_http_content_type $permissions_policy {
+    ~*text/(html|javascript)|application/pdf|xml "accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()";
+  }
+
   # Add Referrer-Policy for HTML documents.
-  # h5bp/security/referrer-policy.conf.conf
+  # h5bp/security/referrer-policy.conf
   map $sent_http_content_type $referrer_policy {
     ~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin";
   }