From 44e6bdcc1f01b2bb0cd72371632b46307cb3e8aa Mon Sep 17 00:00:00 2001 From: damienbod Date: Thu, 17 Oct 2024 21:10:42 +0200 Subject: [PATCH] Remove ambient-light-sensor=() from the Default Permission policy, fix warning in Brower --- README.md | 8 ++------ .../Headers/PermissionsPolicyHeaderExtensions.cs | 4 ++-- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 4f0e611..845cd66 100644 --- a/README.md +++ b/README.md @@ -271,7 +271,7 @@ As described in the [OWASP guidance](https://cheatsheetseries.owasp.org/cheatshe * `X-Frame-Options: Deny` * `Content-Security-Policy: default-src: none; frame-ancestors 'none'` * `Referrer-Policy: no-referrer` -* `Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()` +* `Permissions-Policy: accelerometer=(), autoplay=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()` Apply it in the same way to your header policy collection: @@ -449,10 +449,6 @@ public void Configure(IApplicationBuilder app) .Self() .For("http://testUrl.com"); - builder.AddAmbientLightSensor() // ambient-light-sensor 'self' http://testUrl.com - .Self() - .For("http://testUrl.com"); - builder.AddAutoplay() // autoplay 'self' .Self(); @@ -523,7 +519,7 @@ var policyCollection = new HeaderPolicyCollection() This applies a "secure" policy based on the [suggested by OWASP for APIs](https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html#security-headers): ```HTTP -Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=() +Permissions-Policy: accelerometer=(), autoplay=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=() ``` Alternatively, if you want to relax some of these directives, you can use the builder version: diff --git a/src/NetEscapades.AspNetCore.SecurityHeaders/Headers/PermissionsPolicyHeaderExtensions.cs b/src/NetEscapades.AspNetCore.SecurityHeaders/Headers/PermissionsPolicyHeaderExtensions.cs index 69bc73e..e13456b 100644 --- a/src/NetEscapades.AspNetCore.SecurityHeaders/Headers/PermissionsPolicyHeaderExtensions.cs +++ b/src/NetEscapades.AspNetCore.SecurityHeaders/Headers/PermissionsPolicyHeaderExtensions.cs @@ -13,7 +13,7 @@ public static class PermissionsPolicyHeaderExtensions /// The policy applied by /// internal const string DefaultSecurePolicy = - "accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), " + + "accelerometer=(), autoplay=(), camera=(), display-capture=(), " + "encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), " + "microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), " + "screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()"; @@ -41,7 +41,7 @@ public static HeaderPolicyCollection AddPermissionsPolicy(this HeaderPolicyColle /// not available by default, or not implemented. For consistency with , /// those directives are not included in the policy. /// - /// The policy added is equivalent to accelerometer=(), ambient-light-sensor=(), + /// The policy added is equivalent to accelerometer=(), /// autoplay=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), /// geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), /// picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(),