From 1bfad8c6513d7eda41f270213f9bb64394a5c96a Mon Sep 17 00:00:00 2001
From: Jean-Philippe Pialasse <jpp@koozali.org>
Date: Thu, 2 Jan 2025 00:13:14 -0500
Subject: [PATCH] * Thu Jan 02 2025 Jean-Philippe Pialasse <jpp@koozali.org>
 11.0.0-12.sme - fix OCSP Stapling support [SME: 12819] - fix
 .well-known/security.txt [SME: 12818] - add X-Permitted-Cross-Domain-Policies
 header [SME: 12857] - add  Cross-Origin headers [SME: 12856] - add
 Permissions-Policy header [SME: 12855]

---
 .../etc/httpd/conf/httpd.conf/35SSL36SSLStapling         | 2 +-
 .../templates/etc/httpd/conf/httpd.conf/38Cross-Domain   | 1 +
 .../templates/etc/httpd/conf/httpd.conf/38Cross-Origin   | 5 +++++
 .../etc/httpd/conf/httpd.conf/38Permissions-Policy       | 1 +
 .../var/www/html/.well-known/security.txt/20encryption   | 2 +-
 smeserver-apache.spec                                    | 9 ++++++++-
 6 files changed, 17 insertions(+), 3 deletions(-)
 create mode 100644 root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Cross-Domain
 create mode 100644 root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Cross-Origin
 create mode 100644 root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Permissions-Policy

diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL36SSLStapling b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL36SSLStapling
index 8474e70..fe0459c 100644
--- a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL36SSLStapling
+++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL36SSLStapling
@@ -1,2 +1,2 @@
 SSLUseStapling On
-SSLStaplingCache dbm:/run/httpd/ssl_stapling(32768)
+SSLStaplingCache dbm:/run/httpd/ssl_stapling
diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Cross-Domain b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Cross-Domain
new file mode 100644
index 0000000..32952de
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Cross-Domain
@@ -0,0 +1 @@
+header setifempty X-Permitted-Cross-Domain-Policies "none"
diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Cross-Origin b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Cross-Origin
new file mode 100644
index 0000000..c2fdb88
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Cross-Origin
@@ -0,0 +1,5 @@
+Header setifempty Cross-Origin-Embedder-Policy	"unsafe-none; report-to='default'"
+Header setifempty Cross-Origin-Embedder-Policy-Report-Only	"unsafe-none; report-to='default'"
+Header setifempty Cross-Origin-Opener-Policy	"unsafe-none"
+Header setifempty Cross-Origin-Opener-Policy-Report-Only	"unsafe-none; report-to='default'"
+Header setifempty Cross-Origin-Resource-Policy	"same-site"
diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Permissions-Policy b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Permissions-Policy
new file mode 100644
index 0000000..6189143
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Permissions-Policy
@@ -0,0 +1 @@
+Header setifempty Permissions-Policy	"accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(self), encrypted-media=(), fullscreen=*, geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=*, picture-in-picture=*, publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=*, usb=(), xr-spatial-tracking=(), gamepad=(), serial=()"
diff --git a/root/etc/e-smith/templates/var/www/html/.well-known/security.txt/20encryption b/root/etc/e-smith/templates/var/www/html/.well-known/security.txt/20encryption
index 46bbd21..9fa3084 100644
--- a/root/etc/e-smith/templates/var/www/html/.well-known/security.txt/20encryption
+++ b/root/etc/e-smith/templates/var/www/html/.well-known/security.txt/20encryption
@@ -4,5 +4,5 @@ Encryption: {
 # Encryption: https://example.com/pgp-key.txt
 # Encryption: dns:5d2d37ab76d47d36._openpgpkey.example.com?type=OPENPGPKEY
 # Encryption: openpgp4fpr:5f2de5521c63a801ab59ccb603d49de44b29100f
-${'httpd-e-smith'}{'SecurityEncryption'}||'none'}
+${'httpd-e-smith'}{'SecurityEncryption'}||'openpgp4fpr:'}
 
diff --git a/smeserver-apache.spec b/smeserver-apache.spec
index 8feb67a..87f1415 100644
--- a/smeserver-apache.spec
+++ b/smeserver-apache.spec
@@ -4,7 +4,7 @@ Summary: smeserver server and gateway - apache module
 %define name smeserver-apache
 Name: %{name}
 %define version 11.0.0
-%define release 11
+%define release 12
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -74,6 +74,13 @@ if [ $1 -gt 1 ] ; then
 fi
 
 %changelog
+* Thu Jan 02 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme
+- fix OCSP Stapling support [SME: 12819]
+- fix .well-known/security.txt [SME: 12818]
+- add X-Permitted-Cross-Domain-Policies header [SME: 12857]
+- add  Cross-Origin headers [SME: 12856] 
+- add Permissions-Policy header [SME: 12855]
+
 * Fri Dec 27 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-11.sme
 - add X-Content-Type-Options nosniff [SME: 12835]
 - add Strict Transport Security support HSTS [SME: 12815]