Set floc opt out header before_action
What does this MR do and why?
Related to #354753 (closed)
It sets the Permissions-Policy
for floc opt out before_action
so the header is set even on redirects. This is allows for marginal security improvements if we tighten the Permissions-Policy
eventually and helps customer-facing people by improving our scores on security scanners.
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
$ curl -is http://127.0.0.1:3000 | grep -i Permissions-Policy
Permissions-Policy: interest-cohort=()
Before the change there's no header on the /
route because the user is redirected before_action
and the header wasn't applied yet.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Dominic Couture