From ccc7dbef0cc2ccb83a24ee825f27ac7ec3d600c1 Mon Sep 17 00:00:00 2001 From: Bell Isabell Date: Tue, 3 Mar 2026 18:40:44 -0800 Subject: [PATCH 1/3] Security: Enable Permissions Policy to restrict browser API access Implements a strict Permissions Policy that restricts unnecessary browser APIs including: - Sensors (accelerometer, gyroscope, magnetometer, ambient light) - Media devices (camera, microphone) - Location (geolocation) - Hardware (USB, MIDI) - Payment APIs - Autoplay and picture-in-picture - VR/XR features - Interest-based advertising (FLoC/Topics) Only fullscreen is allowed from the same origin. Closes #19 --- config/initializers/permissions_policy.rb | 46 +++++++++++++++++++---- 1 file changed, 38 insertions(+), 8 deletions(-) diff --git a/config/initializers/permissions_policy.rb b/config/initializers/permissions_policy.rb index 50bcf4e..77a8645 100644 --- a/config/initializers/permissions_policy.rb +++ b/config/initializers/permissions_policy.rb @@ -1,12 +1,42 @@ # frozen_string_literal: true + # Define an application-wide HTTP permissions policy. For further # information see https://developers.google.com/web/updates/2018/06/feature-policy # -# Rails.application.config.permissions_policy do |f| -# f.camera :none -# f.gyroscope :none -# f.microphone :none -# f.usb :none -# f.fullscreen :self -# f.payment :self, "https://secure.example.com" -# end +# This policy restricts access to browser APIs that this application does not use, +# reducing the attack surface and improving security. + +Rails.application.config.permissions_policy do |f| + # Disable access to sensors + f.accelerometer :none + f.gyroscope :none + f.magnetometer :none + f.ambient_light_sensor :none + + # Disable access to media devices + f.camera :none + f.microphone :none + + # Disable access to location + f.geolocation :none + + # Disable access to hardware + f.usb :none + f.midi :none + + # Disable payment and identity APIs + f.payment :none + + # Disable autoplay and picture-in-picture + f.autoplay :none + f.picture_in_picture :none + + # Disable VR/XR features + f.xr_spatial_tracking :none + + # Allow fullscreen only from same origin (for viewing postcards) + f.fullscreen :self + + # Disable interest-based advertising features + f.interest_cohort :none +end From 26ff9ccc88ef948980d207ed9a9f539d976b3631 Mon Sep 17 00:00:00 2001 From: Bell Isabell Date: Tue, 3 Mar 2026 18:55:32 -0800 Subject: [PATCH 2/3] Remove xr_spatial_tracking directive (not supported in Rails 7.1) --- config/initializers/permissions_policy.rb | 3 --- 1 file changed, 3 deletions(-) diff --git a/config/initializers/permissions_policy.rb b/config/initializers/permissions_policy.rb index 77a8645..4043fc9 100644 --- a/config/initializers/permissions_policy.rb +++ b/config/initializers/permissions_policy.rb @@ -31,9 +31,6 @@ f.autoplay :none f.picture_in_picture :none - # Disable VR/XR features - f.xr_spatial_tracking :none - # Allow fullscreen only from same origin (for viewing postcards) f.fullscreen :self From e34323f1dc02ad4746c739ed0c0223948496462c Mon Sep 17 00:00:00 2001 From: Bell Isabell Date: Tue, 3 Mar 2026 19:26:34 -0800 Subject: [PATCH 3/3] Remove interest_cohort directive (not supported in Rails 7.1) --- config/initializers/permissions_policy.rb | 3 --- 1 file changed, 3 deletions(-) diff --git a/config/initializers/permissions_policy.rb b/config/initializers/permissions_policy.rb index 4043fc9..f36c4c2 100644 --- a/config/initializers/permissions_policy.rb +++ b/config/initializers/permissions_policy.rb @@ -33,7 +33,4 @@ # Allow fullscreen only from same origin (for viewing postcards) f.fullscreen :self - - # Disable interest-based advertising features - f.interest_cohort :none end