From ea8597d1fb2efa30d1cead7eddabd02af983d19e Mon Sep 17 00:00:00 2001
From: zzz <zzz@i2pmail.org>
Date: Fri, 18 Jun 2021 09:58:57 -0400
Subject: [PATCH] Console: Add preliminary Permissions-Policy header

other places TODO
---
 apps/routerconsole/jsp/css.jsi | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/apps/routerconsole/jsp/css.jsi b/apps/routerconsole/jsp/css.jsi
index c9a1708df6..aad30f9b97 100644
--- a/apps/routerconsole/jsp/css.jsi
+++ b/apps/routerconsole/jsp/css.jsi
@@ -48,9 +48,10 @@
       // unsafe-inline is a fallback for browsers not supporting nonce
       // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
       response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'nonce-" + cspNonce + "'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
-      response.setHeader("X-XSS-Protection", "1; mode=block");
-      response.setHeader("X-Content-Type-Options", "nosniff");
    }
+   response.setHeader("X-XSS-Protection", "1; mode=block");
+   response.setHeader("X-Content-Type-Options", "nosniff");
+   response.setHeader("Permissions-Policy", "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture(), fullscreen=(self), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=(), vibrate=(), vr=()");
    // https://www.w3.org/TR/referrer-policy/
    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
    // As of Chrome 56, Firefox 50, Opera 43. "same-origin" not widely supported.
-- 
GitLab