From 6d210c3f000e140cc4c1de4519eff9a887d6a4dd Mon Sep 17 00:00:00 2001
From: Livio Amstutz <livio.a@gmail.com>
Date: Mon, 7 Dec 2020 09:00:31 +0100
Subject: [PATCH] fix: add permissions-policy header (#1059)

---
 internal/api/http/header.go                      | 1 +
 internal/api/http/middleware/security_headers.go | 1 +
 2 files changed, 2 insertions(+)

diff --git a/internal/api/http/header.go b/internal/api/http/header.go
index abd6a36793..0263afb94e 100644
--- a/internal/api/http/header.go
+++ b/internal/api/http/header.go
@@ -30,6 +30,7 @@ const (
 	XContentTypeOptions     = "x-content-type-options"
 	ReferrerPolicy          = "referrer-policy"
 	FeaturePolicy           = "feature-policy"
+	PermissionsPolicy       = "permissions-policy"
 
 	ZitadelOrgID = "x-zitadel-orgid"
 )
diff --git a/internal/api/http/middleware/security_headers.go b/internal/api/http/middleware/security_headers.go
index ded18e7ae0..268861ced6 100644
--- a/internal/api/http/middleware/security_headers.go
+++ b/internal/api/http/middleware/security_headers.go
@@ -70,6 +70,7 @@ func (h *headers) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	headers.Set(http_utils.XContentTypeOptions, "nosniff")
 	headers.Set(http_utils.ReferrerPolicy, "same-origin")
 	headers.Set(http_utils.FeaturePolicy, "payment 'none'")
+	headers.Set(http_utils.PermissionsPolicy, "payment=()")
 	//PLANNED: add expect-ct
 
 	h.handler.ServeHTTP(w, r)