Merge pull request #6761 from diegmonti/feat/permissions-policy

feat: Add permissions-policy to security headers

backend/open_webui/utils/security_headers.py

@@ -20,6 +20,7 @@ def set_security_headers() -> Dict[str, str]:
     This function reads specific environment variables and uses their values
     to set corresponding security headers. The headers that can be set are:
     - cache-control
+    - permissions-policy
     - strict-transport-security
     - referrer-policy
     - x-content-type-options
@@ -38,6 +39,7 @@ def set_security_headers() -> Dict[str, str]:
     header_setters = {
         "CACHE_CONTROL": set_cache_control,
         "HSTS": set_hsts,
+        "PERMISSIONS_POLICY": set_permissions_policy,
         "REFERRER_POLICY": set_referrer,
         "XCONTENT_TYPE": set_xcontent_type,
         "XDOWNLOAD_OPTIONS": set_xdownload_options,
@@ -73,6 +75,15 @@ def set_xframe(value: str):
     return {"X-Frame-Options": value}
 
 
+# Set Permissions-Policy response header
+def set_permissions_policy(value: str):
+    pattern = r"^(?:(accelerometer|autoplay|camera|clipboard-read|clipboard-write|fullscreen|geolocation|gyroscope|magnetometer|microphone|midi|payment|picture-in-picture|sync-xhr|usb|xr-spatial-tracking)=\((self)?\),?)*$"
+    match = re.match(pattern, value, re.IGNORECASE)
+    if not match:
+        value = "none"
+    return {"Permissions-Policy": value}
+
+
 # Set Referrer-Policy response header
 def set_referrer(value: str):
     pattern = r"^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url)$"