[GH-ISSUE #1226] Nginx configuation add_header Permissions-Policy #867

New issue

Closed

opened 2026-03-03 02:04:10 +03:00 by kerem · 2 comments

kerem commented

2026-03-03 02:04:10 +03:00

Owner

Originally created by @IssueFindings on GitHub (Nov 17, 2020).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1226

Hello,
I try to configure the access to bitwarden through Nginx. When I test my Nginx configuration with https://www.immuniweb.com/websec/, I just get this error message : "PERMISSIONS-POLICY : The header is not properly set." and nothing more...

I don't understand my mistake in the code below :
add_header Permissions-Policy "usb=(), geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(self, https://haveibeenpwned.com, https://twofactorauth.org), microphone=(), camera=(), magnetometer=(), gyroscope=(), speaker=(), vibrate=(), fullscreen=(self), payment=()";

Anyone could you help me ?

Have a nice day.

Originally created by @IssueFindings on GitHub (Nov 17, 2020). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1226 Hello, I try to configure the access to bitwarden through Nginx. When I test my Nginx configuration with https://www.immuniweb.com/websec/, I just get this error message : "PERMISSIONS-POLICY : The header is not properly set." and nothing more... I don't understand my mistake in the code below : `add_header Permissions-Policy "usb=(), geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(self, https://haveibeenpwned.com, https://twofactorauth.org), microphone=(), camera=(), magnetometer=(), gyroscope=(), speaker=(), vibrate=(), fullscreen=(self), payment=()";` Anyone could you help me ? Have a nice day.

kerem

2026-03-03 02:04:10 +03:00

closed this issue
added the
question

Third party

better for forum
labels

kerem commented

2026-03-03 02:04:11 +03:00

Author

Owner

@BlackDex commented on GitHub (Nov 18, 2020):

@IssueFindings well looking in our code i see that we use the old draft name for this header, so maybe we need to add/update it to match the latest draft.

But in our code i see the following value for Feature-Policy, i think that if you copy that, it should work.

"accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; sync-xhr 'self' https://haveibeenpwned.com https://twofactorauth.org; usb 'none'; vr 'none'"

Also see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
Which states the same markup as in the code above instead of using =() as values.

@BlackDex commented on GitHub (Nov 18, 2020): @IssueFindings well looking in our code i see that we use the old draft name for this header, so maybe we need to add/update it to match the latest draft. But in our code i see the following value for `Feature-Policy`, i think that if you copy that, it should work. ``` "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; sync-xhr 'self' https://haveibeenpwned.com https://twofactorauth.org; usb 'none'; vr 'none'" ``` Also see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy Which states the same markup as in the code above instead of using `=()` as values.

kerem commented

2026-03-03 02:04:11 +03:00

Author

Owner

@IssueFindings commented on GitHub (Dec 9, 2020):

Sorry for the delay... and many thanks for your answer. Based on it, I update my Permissions-Policy as below
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), sync-xhr=(self 'https://haveibeenpwned.com' 'https://twofactorauth.org'), usb=(), vr=()";

That works even if an alert is displayed because of old Feature-Policy. That could be great to update your code ;-)

Again, many thanks !!

@IssueFindings commented on GitHub (Dec 9, 2020): Sorry for the delay... and many thanks for your answer. Based on it, I update my Permissions-Policy as below `add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), sync-xhr=(self 'https://haveibeenpwned.com' 'https://twofactorauth.org'), usb=(), vr=()";` That works even if an alert is displayed because of old Feature-Policy. That could be great to update your code ;-) Again, many thanks !!