Dumb fix for feature-policy being dumb.

app/Http/Middleware/SecurityHeaders.php

@@ -27,7 +27,52 @@ class SecurityHeaders
 
         $response->headers->set('X-Content-Type-Options', 'nosniff');
         $response->headers->set('X-XSS-Protection', '1; mode=block');
-        $response->headers->set('Feature-Policy', 'self');
+
+        // Ugh. Feature-Policy is dumb and clumsy and mostly irrelevant for Snipe-IT,
+        // since we don't provide any way to IFRAME anything in in the first place.
+        // There is currently no easy way to default ALL THE THINGS to 'none', but
+        // security audits will still ding you if you don't have this header, even
+        // though we don't allow IFRAMING in the first place.
+        //
+        // So for security and compliance sake, here we are. Sigh.
+        //
+        // See also:
+        //           - https://developers.google.com/web/updates/2018/06/feature-policy
+        //           - https://scotthelme.co.uk/a-new-security-header-feature-policy/
+        //           - https://github.com/w3c/webappsec-feature-policy/issues/189
+
+        $feature_policy[] = "accelerometer 'none'";
+        $feature_policy[] = "ambient-light-sensor 'none'";
+        $feature_policy[] = "animations 'none'";
+        $feature_policy[] = "autoplay 'none'";
+        $feature_policy[] = "battery 'none'";
+        $feature_policy[] = "camera 'none'";
+        $feature_policy[] = "display-capture 'none'";
+        $feature_policy[] = "document-domain 'none'";
+        $feature_policy[] = "encrypted-media 'none'";
+        $feature_policy[] = "fullscreen 'none'";
+        $feature_policy[] = "geolocation 'none'";
+        $feature_policy[] = "gyroscope 'none'";
+        $feature_policy[] = "legacy-image-formats 'none'";
+        $feature_policy[] = "magnetometer 'none'";
+        $feature_policy[] = "microphone 'none'";
+        $feature_policy[] = "midi 'none'";
+        $feature_policy[] = "oversized-images 'none'";
+        $feature_policy[] = "payment 'none'";
+        $feature_policy[] = "picture-in-picture 'none'";
+        $feature_policy[] = "publickey-credentials 'none'";
+        $feature_policy[] = "sync-xhr 'none'";
+        $feature_policy[] = "unoptimized-images 'none'";
+        $feature_policy[] = "unsized-media 'none'";
+        $feature_policy[] = "usb 'none'";
+        $feature_policy[] = "vibrate 'none'";
+        $feature_policy[] = "wake-lock 'none'";
+        $feature_policy[] = "xr-spatial-tracking 'none'";
+
+        $feature_policy = join(';', $feature_policy);
+        $response->headers->set('Feature-Policy', $feature_policy);
+
+
 
         // Defaults to same-origin if REFERRER_POLICY is not set in the .env
         $response->headers->set('Referrer-Policy', config('app.referrer_policy'));
@@ -56,15 +101,15 @@ class SecurityHeaders
         // and it will break things.
 
         if ((config('app.debug')!='true')  || (config('app.enable_csp')=='true')) {
-            $policy[] = "default-src 'self'";
-            $policy[] = "style-src 'self' 'unsafe-inline'";
-            $policy[] = "script-src 'self' 'unsafe-inline'";
-            $policy[] = "connect-src 'self'";
-            $policy[] = "object-src 'none'";
-            $policy[] = "font-src 'self' data:";
-            $policy[] = "img-src 'self' data: gravatar.com";
-            $policy = join(';', $policy);
-            $response->headers->set('Content-Security-Policy', $policy);
+            $csp_policy[] = "default-src 'self'";
+            $csp_policy[] = "style-src 'self' 'unsafe-inline'";
+            $csp_policy[] = "script-src 'self' 'unsafe-inline'";
+            $csp_policy[] = "connect-src 'self'";
+            $csp_policy[] = "object-src 'none'";
+            $csp_policy[] = "font-src 'self' data:";
+            $csp_policy[] = "img-src 'self' data: gravatar.com";
+            $csp_policy = join(';', $csp_policy);
+            $response->headers->set('Content-Security-Policy', $csp_policy);
         }
 
         return $response;