Security: Enable Permissions Policy by bellisabell · Pull Request #53 · contraptionco/postcard

bellisabell · 2026-03-04T02:40:56Z

Summary

Enables the Permissions Policy HTTP header to restrict browser API access, improving security by reducing the attack surface.

Changes

Configures a strict permissions policy that:

Disables sensors: accelerometer, gyroscope, magnetometer, ambient light sensor
Disables media devices: camera, microphone
Disables location: geolocation
Disables hardware APIs: USB, MIDI
Disables payment APIs
Disables autoplay and picture-in-picture
Disables VR/XR features: xr-spatial-tracking
Disables interest-based advertising: interest-cohort (FLoC/Topics)
Allows fullscreen: from same origin only (for viewing postcards)

Security Impact

This addresses a HIGH severity issue where the entire permissions policy was commented out, leaving all browser APIs unrestricted. The new policy follows the principle of least privilege.

Closes #19

Implements a strict Permissions Policy that restricts unnecessary browser APIs including: - Sensors (accelerometer, gyroscope, magnetometer, ambient light) - Media devices (camera, microphone) - Location (geolocation) - Hardware (USB, MIDI) - Payment APIs - Autoplay and picture-in-picture - VR/XR features - Interest-based advertising (FLoC/Topics) Only fullscreen is allowed from the same origin. Closes #19

bellisabell assigned philipithomas Mar 4, 2026

bellisabell added 2 commits March 3, 2026 18:55

Remove xr_spatial_tracking directive (not supported in Rails 7.1)

26ff9cc

Remove interest_cohort directive (not supported in Rails 7.1)

e34323f

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: Enable Permissions Policy#53

Security: Enable Permissions Policy#53
bellisabell wants to merge 3 commits intomainfrom
bell/enable-permissions-policy

bellisabell commented Mar 4, 2026

Labels

2 participants