Browse Source

feat: Add permissions-policy to security headers

Diego Monti 8 months ago
parent
commit
b1805380dc
1 changed files with 11 additions and 0 deletions
  1. 11 0
      backend/open_webui/utils/security_headers.py

+ 11 - 0
backend/open_webui/utils/security_headers.py

@@ -20,6 +20,7 @@ def set_security_headers() -> Dict[str, str]:
     This function reads specific environment variables and uses their values
     This function reads specific environment variables and uses their values
     to set corresponding security headers. The headers that can be set are:
     to set corresponding security headers. The headers that can be set are:
     - cache-control
     - cache-control
+    - permissions-policy
     - strict-transport-security
     - strict-transport-security
     - referrer-policy
     - referrer-policy
     - x-content-type-options
     - x-content-type-options
@@ -38,6 +39,7 @@ def set_security_headers() -> Dict[str, str]:
     header_setters = {
     header_setters = {
         "CACHE_CONTROL": set_cache_control,
         "CACHE_CONTROL": set_cache_control,
         "HSTS": set_hsts,
         "HSTS": set_hsts,
+        "PERMISSIONS_POLICY": set_permissions_policy,
         "REFERRER_POLICY": set_referrer,
         "REFERRER_POLICY": set_referrer,
         "XCONTENT_TYPE": set_xcontent_type,
         "XCONTENT_TYPE": set_xcontent_type,
         "XDOWNLOAD_OPTIONS": set_xdownload_options,
         "XDOWNLOAD_OPTIONS": set_xdownload_options,
@@ -73,6 +75,15 @@ def set_xframe(value: str):
     return {"X-Frame-Options": value}
     return {"X-Frame-Options": value}
 
 
 
 
+# Set Permissions-Policy response header
+def set_permissions_policy(value: str):
+    pattern = r"^(?:(accelerometer|autoplay|camera|clipboard-read|clipboard-write|fullscreen|geolocation|gyroscope|magnetometer|microphone|midi|payment|picture-in-picture|sync-xhr|usb|xr-spatial-tracking)=\((self)?\),?)*$"
+    match = re.match(pattern, value, re.IGNORECASE)
+    if not match:
+        value = "none"
+    return {"Permissions-Policy": value}
+
+
 # Set Referrer-Policy response header
 # Set Referrer-Policy response header
 def set_referrer(value: str):
 def set_referrer(value: str):
     pattern = r"^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url)$"
     pattern = r"^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url)$"