feat: add permissions-policy header

public/language/en-GB/admin/settings/advanced.json

@@ -20,6 +20,8 @@
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
 	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
+	"headers.permissions-policy": "Permissions-Policy",
+	"headers.permissions-policy-help": "Allows setting permissions policy header, for example \"geolocation=*, camera=()\", see <a href=\"https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md\">this</a> for more info.",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
 	"hsts.maxAge": "HSTS Max Age",

src/middleware/headers.js

@@ -57,6 +57,10 @@ module.exports = function (middleware) {
 			});
 		}
 
+		if (meta.config['permissions-policy']) {
+			headers['Permissions-Policy'] = meta.config['permissions-policy'];
+		}
+
 		if (meta.config['access-control-allow-credentials']) {
 			headers['Access-Control-Allow-Credentials'] = meta.config['access-control-allow-credentials'];
 		}

src/views/admin/settings/advanced.tpl

@@ -99,6 +99,12 @@
 				</select>
 				<br />
 			</div>
+
+			<div class="form-group">
+				<label for="permissions-policy">[[admin/settings/advanced:headers.permissions-policy]]</label>
+				<input class="form-control" id="permissions-policy" type="text" placeholder="" data-field="permissions-policy"  >
+				<p class="help-block">[[admin/settings/advanced:headers.permissions-policy-help]]</p>
+			</div>
 		</form>
 	</div>
 </div>