Permissions-Policy

Please note that the Permissions-Policy standard is currently only a DRAFT, and not supported in all browsers. Meaning, browsers that do not support it, will ignore whatever policy you define.

The Permissions-Policy standard allows the Zimbra server to set what features can be used by the web browser. For example if you do not use any video conferencing you can prevent the browser from asking permission for using the web camera and/or microphone.

This can be an added layer of security in case you use third-party integrations or scripts such as cookie consent walls. In case the third-party is compromised, you can limit what these third-party scripts can do in Zimbra.

It is not recommended to implement the Permissions-Policy standard in Zimbra at this time.

Example configuration

To disable everything, run as user zimbra:

zmprov mcf +zimbraReverseProxyResponseHeaders "Permissions-Policy: 'accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()' always"

./libexec/zmproxyconfgen -s `zmhostname`
zmproxyctl restart

Further reading

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Permissions_Policy#browser_compatibility
• https://www.w3.org/TR/permissions-policy/