[feat] Add Referrer-Policy and Permissions-Policy headers

someengineering · Sep 3, 2024 · 69b91aa · 69b91aa
1 parent 5f3ae90
commit 69b91aa
Showing 1 changed file with 34 additions and 0 deletions.
diff --git a/fixbackend/app.py b/fixbackend/app.py
@@ -79,6 +79,23 @@ async def custom_ui(hash: str) -> Response:
         headers["X-Content-Type-Options"] = "nosniff"
         headers["X-Frame-Options"] = "DENY"
         headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
+        headers["Referrer-Policy"] = "origin-when-cross-origin"
+        headers["Permissions-Policy"] = (
+            "notifications=(self),"
+            " payment=(self),"
+            " fullscreen=(self),"
+            " geolocation=(),"
+            " camera=(),"
+            " microphone=(),"
+            " accelerometer=(),"
+            " gyroscope=(),"
+            " magnetometer=(),"
+            " usb=(),"
+            " vr=(),"
+            " xr-spatial-tracking=(),"
+            " autoplay=(),"
+            " midi=()"
+        )
         headers["Content-Security-Policy"] = (
             "default-src 'self' https://cdn.fix.security;"
             f" connect-src 'self' data: https://cdn.fix.security https://capture.trackjs.com https://ph.fix.security;"
@@ -337,6 +354,23 @@ async def root(_: Request) -> Response:
             headers["X-Content-Type-Options"] = "nosniff"
             headers["X-Frame-Options"] = "DENY"
             headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
+            headers["Referrer-Policy"] = "origin-when-cross-origin"
+            headers["Permissions-Policy"] = (
+                "notifications=(self),"
+                " payment=(self),"
+                " fullscreen=(self),"
+                " geolocation=(),"
+                " camera=(),"
+                " microphone=(),"
+                " accelerometer=(),"
+                " gyroscope=(),"
+                " magnetometer=(),"
+                " usb=(),"
+                " vr=(),"
+                " xr-spatial-tracking=(),"
+                " autoplay=(),"
+                " midi=()"
+            )
             headers["Content-Security-Policy"] = (
                 "default-src 'self' https://cdn.fix.security;"
                 f" connect-src 'self' data: https://cdn.fix.security https://capture.trackjs.com https://ph.fix.security;"