Request to add `Permissions-Policy` header

[AshGw]

I propose adding a new middleware option in Helmet to set the Permissions-Policy header, which I think can be a great add-on to the existing security middlewares.

Example Implementation

app.use(permissionsPolicy({
    features: {
        geolocation: ['self'],
        camera: [],
        microphone: []
    },
    directives: {
        accelerometer: "'none'",
        autoplay: ["'self'", 'https://example.com'],
        syncXhr: ["'self'"],
        usb: "'none'"
    },
    reportOnly: false,
    reportUri: '/report-violation', 
    forceHTTPS: true  
}));

[EvanHahn]

Permissions-Policy is still in a draft state. It's also unsupported in Firefox or Safari, so I'm hesitant to add it.

For now, here are some options:

• Write a very simple middleware yourself. Here's an example:

  app.use((req, res, next) => {
  res.setHeader(
    "Permissions-Policy",
    "geolocation=(), interest-cohort=()"
  );
  next();
  });

• Install the permissions-policy package. This package is not maintained by me but is a fork of a Helmet module and I have contributed a few changes.

Would that work for you?

[AshGw]

That'll do