Merge pull request 'more permissions-policy' (#43) from develop into master

Reviewed-on: #43

packages/backend/src/server/ServerService.ts

@@ -278,7 +278,17 @@ export class ServerService implements OnApplicationShutdown {
 		// Other Security/Privacy Headers
 		fastify.addHook('onRequest', (_, reply, done) => {
 			reply.header('x-content-type-options', 'nosniff');
-			reply.header('permissions-policy', 'interest-cohort=()'); // Disable FLoC
+			reply.header('permissions-policy', 
+						[
+							'interest-cohort', 
+							'encrypted-media', 
+							'attribution-reporting', 
+							'geolocation', 'microphone', 'camera', 
+							'midi', 'payment', 'usb', 'serial',
+							'xr-spatial-tracking'
+						]
+					.map(feature => `${feature}=()`).join(', '));
+				
 			if (this.config.browserSandboxing.strictOriginReferrer) {
 				reply.header('referrer-policy', 'strict-origin');
 			}

packages/backend/src/server/pug-filters.ts

@@ -7,6 +7,6 @@ export const commonPugFilters = {
             throw new Error('Invalid mimeType');
         }
         const dataURI = `data:${options.mimeType};base64,${Buffer.from(data).toString('base64')}`;
-        return `<${options.tagName} data="${dataURI}"></${options.tagName}>`;
+        return `<${options.tagName} src="${dataURI}"></${options.tagName}>`;
     }
 } as const;

packages/backend/src/server/web/ClientServerService.ts

@@ -248,16 +248,6 @@ export class ClientServerService {
 			fastify.addHook('onRequest', makeHstsHook(host, preload));
 		}
 
-		// Other Security/Privacy Headers
-		fastify.addHook('onRequest', (_, reply, done) => {
-			reply.header('x-content-type-options', 'nosniff');
-			reply.header('permissions-policy', 'interest-cohort=()'); // Disable FLoC
-			if (this.config.browserSandboxing.strictOriginReferrer ?? true) {
-				reply.header('referrer-policy', 'strict-origin');
-			}
-			done();
-		});
-
 		// CSP
 		if (process.env.NODE_ENV === 'production') {
 			console.debug('cspPrerenderedContent', this.config.cspPrerenderedContent);