added Permissions-Policy header

confs/site/permissions-policy.conf

@@ -0,0 +1 @@
+more_set_headers "Permissions-Policy: %PERMISSIONS_POLICY%";

entrypoint/defaults.sh

@@ -33,11 +33,12 @@ BROTLI_MIN_LENGTH="${BROTLI_MIN_LENGTH-1000}"
 BROTLI_TYPES="${BROTLI_TYPES-application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml}"
 REMOTE_PHP_PATH="${REMOTE_PHP_PATH-/app}"
 USE_REVERSE_PROXY="${USE_REVERSE_PROXY-no}"
-REMOVE_HEADERS="${REMOVE_HEADERS-Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version"
+REMOVE_HEADERS="${REMOVE_HEADERS-Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version}"
 X_FRAME_OPTIONS="${X_FRAME_OPTIONS-DENY}"
 X_XSS_PROTECTION="${X_XSS_PROTECTION-1; mode=block}"
 X_CONTENT_TYPE_OPTIONS="${X_CONTENT_TYPE_OPTIONS-nosniff}"
 REFERRER_POLICY="${REFERRER_POLICY-no-referrer}"
+PERMISSIONS_POLICY="${PERMISSIONS_POLICY-accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=()}"
 FEATURE_POLICY="${FEATURE_POLICY-accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'}"
 DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
 SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"

entrypoint/site-config.sh

@@ -198,6 +198,14 @@ else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%FEATURE_POLICY%" ""
 fi
 
+# Permissions-Policy header
+if [ "$PERMISSIONS_POLICY" != "" ] ; then
+	replace_in_file "${NGINX_PREFIX}server.conf" "%PERMISSIONS_POLICY%" "include ${NGINX_PREFIX}permissions-policy.conf;"
+	replace_in_file "${NGINX_PREFIX}permissions-policy.conf" "%PERMISSIONS_POLICY%" "$PERMISSIONS_POLICY"
+else
+	replace_in_file "${NGINX_PREFIX}server.conf" "%PERMISSIONS_POLICY%" ""
+fi
+
 # Content-Security-Policy header
 if [ "$CONTENT_SECURITY_POLICY" != "" ] ; then
         replace_in_file "${NGINX_PREFIX}server.conf" "%CONTENT_SECURITY_POLICY%" "include ${NGINX_PREFIX}content-security-policy.conf;"