disable owasp experimental permisisons policy

docs/content/1.documentation/2.headers/2.permissions-policy.md

@@ -57,7 +57,7 @@ export default defineNuxtConfig({
 By default, Nuxt Security will set following value for this header.
 
 ```http
-Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), layout-animations=(self), legacy-image-formats=(self), magnetometer=(), microphone=(), midi=(), oversized-images=(self), payment=(), picture-in-picture=(), publickey-credentials-get=(), speaker-selection=(), sync-xhr=(self), unoptimized-images=(self), unsized-media=(self), usb=(), screen-wake-lock=(), web-share=(), xr-spatial-tracking=();
+Permissions-Policy: accelerometer=(), autoplay=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=()
 ```
 
 ## Available values

src/defaultConfig.ts

@@ -39,32 +39,52 @@ export const defaultSecurityConfig = (serverlUrl: string): ModuleOptions => ({
     xXSSProtection: '0',
     permissionsPolicy: {
       accelerometer: [],
+      /* Disable OWASP Experimental values
       'ambient-light-sensor':[],
+      */
       autoplay:[],
+      /* Disable OWASP Experimental values
       battery:[],
+      */
       camera:[],
       'display-capture':[],
+      /* Disable OWASP Experimental values
       'document-domain':[],
+      */
       'encrypted-media':[],
       fullscreen:[],
+      /* Disable OWASP Experimental values
       gamepad:[],
+      */
       geolocation:[],
       gyroscope:[],
+      /* Disable OWASP Experimental values
       'layout-animations':['self'],
+      */
+      /* Disable OWASP Experimental values
       'legacy-image-formats':['self'],
+      */
       magnetometer:[],
       microphone:[],
       midi:[],
+      /* Disable OWASP Experimental values
       'oversized-images':['self'],
+      */
       payment:[],
       'picture-in-picture':[],
       'publickey-credentials-get':[],
+      'screen-wake-lock':[],
+      /* Disable OWASP Experimental values
       'speaker-selection':[],
+      */
       'sync-xhr':['self'],
+      /* Disable OWASP Experimental values
       'unoptimized-images':['self'],
+      */
+      /* Disable OWASP Experimental values
       'unsized-media':['self'],
+      */
       usb:[],
-      'screen-wake-lock':[],
       'web-share':[],
       'xr-spatial-tracking':[]
     }

test/headers.test.ts

@@ -92,7 +92,7 @@ describe('[nuxt-security] Headers', async () => {
     const ppHeaderValue = headers.get('permissions-policy')
 
     expect(ppHeaderValue).toBeTruthy()
-    expect(ppHeaderValue).toBe('accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), layout-animations=(self), legacy-image-formats=(self), magnetometer=(), microphone=(), midi=(), oversized-images=(self), payment=(), picture-in-picture=(), publickey-credentials-get=(), speaker-selection=(), sync-xhr=(self), unoptimized-images=(self), unsized-media=(self), usb=(), screen-wake-lock=(), web-share=(), xr-spatial-tracking=()')
+    expect(ppHeaderValue).toBe('accelerometer=(), autoplay=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=()')
   })
 
   it('has `referrer-policy` header set with correct default value', async () => {