fix: permissions policy

nuxt-modules · Oct 15, 2023 · 9861e61 · 9861e61
1 parent 5d9740a
commit 9861e61
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 15 deletions.
diff --git a/docs/content/1.documentation/1.getting-started/2.configuration.md b/docs/content/1.documentation/1.getting-started/2.configuration.md
@@ -66,11 +66,11 @@ security: {
     xPermittedCrossDomainPolicies: 'none',
     xXSSProtection: '0',
     permissionsPolicy: {
-      camera: ['()'],
-      'display-capture': ['()'],
-      fullscreen: ['()'],
-      geolocation: ['()'],
-      microphone: ['()']
+      camera: [],
+      'display-capture': [],
+      fullscreen: [],
+      geolocation: [],
+      microphone: []
     }
   },
   requestSizeLimiter: {

diff --git a/docs/content/1.documentation/1.getting-started/3.usage.md b/docs/content/1.documentation/1.getting-started/3.usage.md
@@ -96,9 +96,6 @@ experimental: {
 
 ::
 
-
-
-
 ## Disabling functionality
 
 To disable certain middleware or headers, follow this pattern:

diff --git a/docs/content/1.documentation/2.headers/2.permissions-policy.md b/docs/content/1.documentation/2.headers/2.permissions-policy.md
@@ -36,7 +36,19 @@ export default defineNuxtConfig({
 })
 ```
 
-You can also disable this header by `permissionsPolicy: false`.
+You can also disable this header by setting `permissionsPolicy: false`. To disable certain API completely, set its value to empty array like:
+
+```ts
+export default defineNuxtConfig({
+  security: {
+    headers: {
+      permissionsPolicy: {
+        'camera': [] // This will block usage of camera by this website
+      },
+    },
+  },
+})
+```
 
 ## Default value
 

diff --git a/src/defaultConfig.ts b/src/defaultConfig.ts
@@ -31,11 +31,11 @@ export const defaultSecurityConfig = (serverlUrl: string): ModuleOptions => ({
     xPermittedCrossDomainPolicies: 'none',
     xXSSProtection: '0',
     permissionsPolicy: {
-      camera: ['()'],
-      'display-capture': ['()'],
-      fullscreen: ['()'],
-      geolocation: ['()'],
-      microphone: ['()']
+      camera: [],
+      'display-capture': [],
+      fullscreen: [],
+      geolocation: [],
+      microphone: []
     }
   },
   requestSizeLimiter: {

diff --git a/src/headers.ts b/src/headers.ts
@@ -41,7 +41,7 @@ const headerValueMappers = {
     })
       .filter(Boolean).join('; ')
   },
-  permissionsPolicy: (value: PermissionsPolicyValue) => Object.entries(value).map(([directive, sources]) => (sources as string[])?.length && `${directive}=${(sources as string[]).join(' ')}`).filter(Boolean).join(', ')
+  permissionsPolicy: (value: PermissionsPolicyValue) => Object.entries(value).map(([directive, sources]) => `${directive}=(${(sources as string[]).join(' ')})`).filter(Boolean).join(', ')
 }
 
 export const getHeaderValueFromOptions = <T>(headerType: HeaderMapper, headerOptions: any) => {
Original file line number	Diff line number	Diff line change
Expand Up		@@ -96,9 +96,6 @@ experimental: {

		::




		## Disabling functionality

		To disable certain middleware or headers, follow this pattern:
Expand Down