Nginx configuation add_header Permissions-Policy #1553

New Issue

Closed

opened 2025-10-09 17:19:26 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2025-10-09 17:19:26 +03:00

Owner

Copy Link

Originally created by @IssueFindings on GitHub.

Hello,
I try to configure the access to bitwarden through Nginx. When I test my Nginx configuration with https://www.immuniweb.com/websec/, I just get this error message : "PERMISSIONS-POLICY : The header is not properly set." and nothing more...

I don't understand my mistake in the code below :
add_header Permissions-Policy "usb=(), geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(self, https://haveibeenpwned.com, https://twofactorauth.org), microphone=(), camera=(), magnetometer=(), gyroscope=(), speaker=(), vibrate=(), fullscreen=(self), payment=()";

Anyone could you help me ?

Have a nice day.

Originally created by @IssueFindings on GitHub. Hello, I try to configure the access to bitwarden through Nginx. When I test my Nginx configuration with https://www.immuniweb.com/websec/, I just get this error message : "PERMISSIONS-POLICY : The header is not properly set." and nothing more... I don't understand my mistake in the code below : `add_header Permissions-Policy "usb=(), geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(self, https://haveibeenpwned.com, https://twofactorauth.org), microphone=(), camera=(), magnetometer=(), gyroscope=(), speaker=(), vibrate=(), fullscreen=(self), payment=()";` Anyone could you help me ? Have a nice day.

OVERLORD added the Third partyquestionbetter for forum labels 2025-10-09 17:19:26 +03:00

OVERLORD closed this issue 2025-10-09 17:19:27 +03:00

OVERLORD commented 2025-10-09 17:19:28 +03:00

Author

Owner

Copy Link

@IssueFindings commented on GitHub:

Sorry for the delay... and many thanks for your answer. Based on it, I update my Permissions-Policy as below
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), sync-xhr=(self 'https://haveibeenpwned.com' 'https://twofactorauth.org'), usb=(), vr=()";

That works even if an alert is displayed because of old Feature-Policy. That could be great to update your code ;-)

Again, many thanks !!

@IssueFindings commented on GitHub: Sorry for the delay... and many thanks for your answer. Based on it, I update my Permissions-Policy as below `add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), sync-xhr=(self 'https://haveibeenpwned.com' 'https://twofactorauth.org'), usb=(), vr=()";` That works even if an alert is displayed because of old Feature-Policy. That could be great to update your code ;-) Again, many thanks !!

OVERLORD commented 2025-10-09 17:19:28 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

@IssueFindings well looking in our code i see that we use the old draft name for this header, so maybe we need to add/update it to match the latest draft.

But in our code i see the following value for Feature-Policy, i think that if you copy that, it should work.

"accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; sync-xhr 'self' https://haveibeenpwned.com https://twofactorauth.org; usb 'none'; vr 'none'"

Also see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
Which states the same markup as in the code above instead of using =() as values.

@BlackDex commented on GitHub: @IssueFindings well looking in our code i see that we use the old draft name for this header, so maybe we need to add/update it to match the latest draft. But in our code i see the following value for `Feature-Policy`, i think that if you copy that, it should work. ``` "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; sync-xhr 'self' https://haveibeenpwned.com https://twofactorauth.org; usb 'none'; vr 'none'" ``` Also see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy Which states the same markup as in the code above instead of using `=()` as values.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label better for forum question Third party

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1553