From 3953546aceaf465c0fb9aa9220461506083ce95b Mon Sep 17 00:00:00 2001 From: Yasen Pramatarov Date: Mon, 17 Feb 2025 16:03:59 +0200 Subject: [PATCH] Adds option to allow media on selected pages --- app/includes/security_headers_middleware.php | 33 ++++++++++++++++++-- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/app/includes/security_headers_middleware.php b/app/includes/security_headers_middleware.php index f7c1410..c923d5e 100644 --- a/app/includes/security_headers_middleware.php +++ b/app/includes/security_headers_middleware.php @@ -12,6 +12,16 @@ * - Permissions-Policy: Control browser features */ +// Get current page +$current_page = $_GET['page'] ?? 'dashboard'; + +// Define pages that need media access +$media_enabled_pages = [ + // 'conference' => ['camera', 'microphone'], + // 'call' => ['microphone'], + // Add more pages and their required permissions as needed +]; + // Strict Transport Security (HSTS) // Only enable if HTTPS is properly configured if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') { @@ -45,8 +55,6 @@ header('Referrer-Policy: strict-origin-when-cross-origin'); // Permissions-Policy $permissions = [ 'geolocation=()', - 'microphone=()', - 'camera=()', 'payment=()', 'usb=()', 'accelerometer=()', @@ -59,13 +67,32 @@ $permissions = [ 'sync-xhr=(self)', 'usb=()' ]; + +// Add camera/microphone permissions based on current page +$camera_allowed = false; +$microphone_allowed = false; + +if (isset($media_enabled_pages[$current_page])) { + $allowed_media = $media_enabled_pages[$current_page]; + if (in_array('camera', $allowed_media)) { + $camera_allowed = true; + } + if (in_array('microphone', $allowed_media)) { + $microphone_allowed = true; + } +} + +// Add media permissions +$permissions[] = $camera_allowed ? 'camera=(self)' : 'camera=()'; +$permissions[] = $microphone_allowed ? 'microphone=(self)' : 'microphone=()'; + header('Permissions-Policy: ' . implode(', ', $permissions)); // Clear PHP version header_remove('X-Powered-By'); // Prevent caching of sensitive pages -if (in_array($_GET['page'] ?? '', ['login', 'register', 'profile', 'security'])) { +if (in_array($current_page, ['login', 'register', 'profile', 'security'])) { header('Cache-Control: no-store, no-cache, must-revalidate, max-age=0'); header('Pragma: no-cache'); header('Expires: ' . gmdate('D, d M Y H:i:s', time() - 3600) . ' GMT');