Improve security header - add x-frame-options / permissions-policy

src/Web/Grand.Web.Common/Infrastructure/ApplicationBuilderExtensions.cs

@@ -291,6 +291,7 @@ public static void UseDefaultSecurityHeaders(this IApplicationBuilder applicatio
         {
             var policyCollection = new HeaderPolicyCollection()
                 .AddXssProtectionBlock()
+                .AddFrameOptionsDeny()
                 .AddContentTypeOptionsNoSniff()
                 .AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365) // maxage = one year in seconds
                 .AddReferrerPolicyStrictOriginWhenCrossOrigin()
@@ -308,6 +309,22 @@ public static void UseDefaultSecurityHeaders(this IApplicationBuilder applicatio
                     builder.AddScriptSrc().From("*").UnsafeInline().UnsafeEval();
                     builder.AddStyleSrc().From("*").UnsafeEval().UnsafeInline();
                 })
+                .AddPermissionsPolicy(builder =>
+                {                    
+                    builder.AddAutoplay().Self();
+                    builder.AddCamera().None();
+                    builder.AddEncryptedMedia().Self();
+                    builder.AddFullscreen().All();
+                    builder.AddGeolocation().Self();
+                    builder.AddGyroscope().None();
+                    builder.AddMagnetometer().None();
+                    builder.AddMicrophone().None();
+                    builder.AddMidi().None();
+                    builder.AddPayment().None();
+                    builder.AddPictureInPicture().None();
+                    builder.AddSyncXHR().None();
+                    builder.AddUsb().None();
+                })
                 .RemoveServerHeader();
 
             application.UseSecurityHeaders(policyCollection);