From 710e7aa9409dcb31b96e0f6612b24bd03c27bb79 Mon Sep 17 00:00:00 2001
From: Freddie Leeman <freddie@freddieleeman.nl>
Date: Tue, 17 Nov 2020 16:25:03 +0100
Subject: [PATCH] Feature-/Permissions-Policy HTTP header update (#15667)

Removed features that were removed from the 'Feature-Policy' spec (vibrate, speaker). List of valid features can be found here: https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md

Due to a recent rename of the policy I've copied the Feature-Policy to a Permissions-Policy header and changed the value syntax. For backwards compatibility I recommend leaving the 'Feature-Policy' for now.

Syntax errors found using: https://www.uriports.com/score/home-assistant.io
---
 source/_headers | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/source/_headers b/source/_headers
index 61d96baf8a7..d33567d39d7 100644
--- a/source/_headers
+++ b/source/_headers
@@ -1,7 +1,8 @@
 /*
   Cache-Control: public, max-age: 0, s-maxage=3600, must-revalidate
   Content-Security-Policy: form-action https:
-  Feature-Policy: vibrate 'none'; geolocation 'none'; midi 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; payment 'none'
+  Feature-Policy: geolocation 'none'; midi 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; payment 'none'
+  Permissions-Policy: geolocation=(), midi=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), payment=()
   Referrer-Policy: no-referrer-when-downgrade
   X-Content-Type-Options: nosniff
   X-XSS-Protection: 1; mode=block