From fed426b63575f6bfc4a94e996066fc71ddd1d62d Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 17 Apr 2026 14:45:12 +0000
Subject: [PATCH] Add Permissions-Policy header to headers.Caddyfile

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/8ef03112-cdc4-46d1-b1f1-96c2a85e92c0

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
---
 Containers/mastercontainer/headers.Caddyfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Containers/mastercontainer/headers.Caddyfile b/Containers/mastercontainer/headers.Caddyfile
index bdbfc459..76918e84 100644
--- a/Containers/mastercontainer/headers.Caddyfile
+++ b/Containers/mastercontainer/headers.Caddyfile
@@ -22,6 +22,9 @@ header {
     Cross-Origin-Embedder-Policy "require-corp"; # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
     Cross-Origin-Resource-Policy "same-origin"; # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
 
+    # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
+    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
+
     -Server
     -X-Powered-By
     -Via