Can add Permissions-Policy on web sites

2022-08-16 16:58:28 +02:00 · 2022-08-16 16:58:28 +02:00 · 3b195fa1fb
commit 3b195fa1fb
parent 5ef941311a
2 changed files with 15 additions and 2 deletions
--- a/htdocs/admin/system/security.php
+++ b/htdocs/admin/system/security.php
@ -497,9 +497,11 @@ print '<br>';
 print '<strong>WEBSITE_MAIN_SECURITY_FORCERP</strong> = '.(empty($conf->global->WEBSITE_MAIN_SECURITY_FORCERP) ? '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>' : $conf->global->WEBSITE_MAIN_SECURITY_FORCERP).' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or")." \"strict-origin-when-cross-origin\")</span><br>";
 print '<br>';

-print '<strong>WEBSITE_MAIN_SECURITY_FORCESTS</strong> = '.(empty($conf->global->WEBSITE_MAIN_SECURITY_FORCESTS) ? '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>' : $conf->global->WEBSITE_MAIN_SECURITY_FORCESTS).' &nbsp; <span class="opacitymedium">('.$langs->trans("Example").": \"max-age=31536000; includeSubDomaines\")</span><br>";
+print '<strong>WEBSITE_MAIN_SECURITY_FORCESTS</strong> = '.(empty($conf->global->WEBSITE_MAIN_SECURITY_FORCESTS) ? '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>' : $conf->global->WEBSITE_MAIN_SECURITY_FORCESTS).' &nbsp; <span class="opacitymedium">('.$langs->trans("Example").": \"max-age=31536000; includeSubDomains\")</span><br>";
 print '<br>';

+print '<strong>WEBSITE_MAIN_SECURITY_FORCEPP</strong> = '.(empty($conf->global->WEBSITE_MAIN_SECURITY_FORCEPP) ? '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>' : $conf->global->WEBSITE_MAIN_SECURITY_FORCEPP).' &nbsp; <span class="opacitymedium">('.$langs->trans("Example").": \"camera: 'none'; microphone: 'none';\")</span><br>";
+print '<br>';

 print '<br>';

--- a/htdocs/core/website.inc.php
+++ b/htdocs/core/website.inc.php
@ -141,12 +141,23 @@ if (!defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) {
 	if (!defined('WEBSITE_MAIN_SECURITY_FORCESTS')) {
 		// The constant WEBSITE_MAIN_SECURITY_FORCESTS should never be defined by page, but the variable used just after may be

-		// Example: "max-age=31536000; includeSubDomaines"
+		// Example: "max-age=31536000; includeSubDomains"
 		$sts = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCESTS');
 		if (!empty($sts)) {
 			header("Strict-Transport-Security: ".$sts);
 		}
 	}
+
+	// Permissions-Policy (old name was Feature-Policy)
+	if (!defined('WEBSITE_MAIN_SECURITY_FORCEPP')) {
+		// The constant WEBSITE_MAIN_SECURITY_FORCEPP should never be defined by page, but the variable used just after may be
+
+		// Example: "camera: 'none'; microphone: 'none';"
+		$pp = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCEPP');
+		if (!empty($pp)) {
+			header("Permissions-Policy: ".$pp);
+		}
+	}
 }

 // A lang was forced, so we change weblangs init