feat: Add permissions-policy to security headers

2025-06-26 18:26:48 +00:00 · 2024-11-06 18:16:22 +01:00 · 2024-11-06 18:16:22 +01:00 · b1805380dc
commit b1805380dc
parent 7228b39064
1 changed files with 11 additions and 0 deletions
--- a/backend/open_webui/utils/security_headers.py
+++ b/backend/open_webui/utils/security_headers.py
@ -20,6 +20,7 @@ def set_security_headers() -> Dict[str, str]:
    This function reads specific environment variables and uses their values
    to set corresponding security headers. The headers that can be set are:
    - cache-control
+    - permissions-policy
    - strict-transport-security
    - referrer-policy
    - x-content-type-options
@ -38,6 +39,7 @@ def set_security_headers() -> Dict[str, str]:
    header_setters = {
        "CACHE_CONTROL": set_cache_control,
        "HSTS": set_hsts,
+        "PERMISSIONS_POLICY": set_permissions_policy,
        "REFERRER_POLICY": set_referrer,
        "XCONTENT_TYPE": set_xcontent_type,
        "XDOWNLOAD_OPTIONS": set_xdownload_options,
@ -73,6 +75,15 @@ def set_xframe(value: str):
    return {"X-Frame-Options": value}


+# Set Permissions-Policy response header
+def set_permissions_policy(value: str):
+    pattern = r"^(?:(accelerometer|autoplay|camera|clipboard-read|clipboard-write|fullscreen|geolocation|gyroscope|magnetometer|microphone|midi|payment|picture-in-picture|sync-xhr|usb|xr-spatial-tracking)=\((self)?\),?)*$"
+    match = re.match(pattern, value, re.IGNORECASE)
+    if not match:
+        value = "none"
+    return {"Permissions-Policy": value}
+
+
 # Set Referrer-Policy response header
 def set_referrer(value: str):
    pattern = r"^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url)$"