fix(security_response_headers): update Permissions-Policy default val…

…ue for fullscreen
elastic · Dec 20, 2024 · 18d6f88 · 18d6f88
1 parent 9f01087
commit 18d6f88
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/packages/core/http/core-http-server-internal/src/security_response_headers_config.test.ts b/packages/core/http/core-http-server-internal/src/security_response_headers_config.test.ts
@@ -20,7 +20,7 @@ describe('parseRawSecurityResponseHeadersConfig', () => {
     expect(result.securityResponseHeaders).toMatchInlineSnapshot(`
       Object {
         "Cross-Origin-Opener-Policy": "same-origin",
-        "Permissions-Policy": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()",
+        "Permissions-Policy": "camera=(), display-capture=(), fullscreen=*, geolocation=(), microphone=(), web-share=()",
         "Referrer-Policy": "strict-origin-when-cross-origin",
         "X-Content-Type-Options": "nosniff",
       }

diff --git a/packages/core/http/core-http-server-internal/src/security_response_headers_config.ts b/packages/core/http/core-http-server-internal/src/security_response_headers_config.ts
@@ -38,7 +38,7 @@ export const securityResponseHeadersSchema = schema.object({
     // See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
     // Note: this currently lists all non-experimental permissions, as of May 2023
     defaultValue:
-      'camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()',
+      'camera=(), display-capture=(), fullscreen=*, geolocation=(), microphone=(), web-share=()',
   }),
   permissionsPolicyReportOnly: schema.maybe(schema.oneOf([schema.string(), schema.literal(null)])),
   disableEmbedding: schema.boolean({ defaultValue: false }), // is used to control X-Frame-Options and CSP headers