Add Permissions-Policy header to headers.Caddyfile

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/8ef03112-cdc4-46d1-b1f1-96c2a85e92c0 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
2026-05-28 14:30:13 +00:00 · 2026-04-17 14:45:12 +00:00
parent cbdd75d668
commit fed426b635
1 changed files with 3 additions and 0 deletions
--- a/Containers/mastercontainer/headers.Caddyfile
+++ b/Containers/mastercontainer/headers.Caddyfile
@@ -22,6 +22,9 @@ header {
    Cross-Origin-Embedder-Policy "require-corp"; # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
    Cross-Origin-Resource-Policy "same-origin"; # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy

+    # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
+    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
+
    -Server
    -X-Powered-By
    -Via