From 7a98fd7658b4b934a7f8d880eb14d85271d06c54 Mon Sep 17 00:00:00 2001
From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Date: Fri, 23 Jan 2026 13:48:23 -0700
Subject: [PATCH] Add Permissions-Policy header settings and corresponding
 tests

---
 dojo/settings/settings.dist.py              | 20 ++++++++++++++++++++
 requirements.txt                            |  1 +
 unittests/test_permission_policy_headers.py | 11 +++++++++++
 3 files changed, 32 insertions(+)
 create mode 100644 unittests/test_permission_policy_headers.py

diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
index ab7918c922c..a5141612fea 100644
--- a/dojo/settings/settings.dist.py
+++ b/dojo/settings/settings.dist.py
@@ -817,6 +817,25 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 SESSION_EXPIRE_AT_BROWSER_CLOSE = env("DD_SESSION_EXPIRE_AT_BROWSER_CLOSE")
 SESSION_EXPIRE_WARNING = env("DD_SESSION_EXPIRE_WARNING")
 SESSION_COOKIE_AGE = env("DD_SESSION_COOKIE_AGE")
+# Permission-Policy header settings
+# See docs at https://pypi.org/project/django-permissions-policy/
+PERMISSIONS_POLICY = {
+    "accelerometer": [],
+    "ambient-light-sensor": [],
+    "autoplay": [],
+    "camera": [],
+    "display-capture": [],
+    "encrypted-media": [],
+    "fullscreen": [],
+    "geolocation": [],
+    "gyroscope": [],
+    "interest-cohort": [],
+    "magnetometer": [],
+    "microphone": [],
+    "midi": [],
+    "payment": [],
+    "usb": [],
+}
 
 # ------------------------------------------------------------------------------
 # DEFECTDOJO SPECIFIC
@@ -966,6 +985,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
     "django.middleware.security.SecurityMiddleware",
+    "django_permissions_policy.PermissionsPolicyMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
diff --git a/requirements.txt b/requirements.txt
index 5f8d7b0e35d..f25a6aa9200 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -16,6 +16,7 @@ django-crispy-forms==2.5
 django_extensions==4.1
 django-slack==5.19.0
 django-watson==1.6.3
+django-permissions-policy==4.28.0
 django-prometheus==2.4.1
 Django==5.2.9
 django-single-session==0.2.0
diff --git a/unittests/test_permission_policy_headers.py b/unittests/test_permission_policy_headers.py
new file mode 100644
index 00000000000..7deae634ac6
--- /dev/null
+++ b/unittests/test_permission_policy_headers.py
@@ -0,0 +1,11 @@
+from django.test import TestCase
+from django.urls import reverse
+
+
+class EmptyPermissionsPolicyTests(TestCase):
+    def test_empty_policy_still_sets_header(self):
+        response = self.client.get(reverse("login"))
+        self.assertIn("Permissions-Policy", response.headers)
+        # Header may be empty or minimal, but must exist
+        self.assertIsNotNone(response["Permissions-Policy"])
+        self.assertGreaterEqual(len(response["Permissions-Policy"]), 2)