Update -headers-csp.conf Feature-Policy with Permissions-Policy
The feature-policy
is being replaced with the new permissions-policy
.
Our current feature-policy
looks like this:
#add_header Feature-Policy "geolocation none; midi none; notifications none; push none; sync-xhr none; microphone none; camera none; magnetometer none; gyroscope none; speaker none; vibrate none; fullscreen self; payment none; usb none;";
I've recreated what I can from the available settings using this website: https://www.permissionspolicy.com/
add_header Permissions-Policy "camera=(), fullscreen=(self), geolocation=(), magnetometer=(), microphone=(), midi=(), payment=(), sync-xhr=(), usb=(), speaker-selection=()";
I was unsure on the syntax, so I googled a little and actually found the exact same policy here: https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache
There's not a lot of info online regarding the correct formatting, even on Mozilla. https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy
Nginx syntax check is all good when the above is added.