fix(security_response_headers): update Permissions-Policy default val…

docs/setup/settings.asciidoc

@@ -428,7 +428,7 @@ experimental[] Controls whether the https://developer.mozilla.org/en-US/docs/Web
 is used in all responses to the client from the {kib} server, and specifies what value is used. Allowed values are any text value or `null`.
 Refer to the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy[`Permissions-Policy` documentation] for defined
 directives, values, and text format. To disable, set to `null`.
-*Default:* `camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()`
+*Default:* `camera=(), display-capture=(), fullscreen=(self "https://*.vidyard.com" "http://*.vidyard.com"), geolocation=(), microphone=(), web-share=()`
 
 [[server-securityResponseHeaders-permissionsPolicyReportOnly]] `server.securityResponseHeaders.permissionsPolicyReportOnly`::
 experimental[] Controls whether the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy[`Permissions-Policy-Report-Only`] header

packages/core/http/core-http-server-internal/src/security_response_headers_config.test.ts

@@ -20,7 +20,7 @@ describe('parseRawSecurityResponseHeadersConfig', () => {
     expect(result.securityResponseHeaders).toMatchInlineSnapshot(`
       Object {
         "Cross-Origin-Opener-Policy": "same-origin",
-        "Permissions-Policy": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()",
+        "Permissions-Policy": "camera=(), display-capture=(), fullscreen=(self 'https://*.vidyard.com' 'http://*.vidyard.com'), geolocation=(), microphone=(), web-share=()",
         "Referrer-Policy": "strict-origin-when-cross-origin",
         "X-Content-Type-Options": "nosniff",
       }

packages/core/http/core-http-server-internal/src/security_response_headers_config.ts

@@ -38,7 +38,7 @@ export const securityResponseHeadersSchema = schema.object({
     // See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
     // Note: this currently lists all non-experimental permissions, as of May 2023
     defaultValue:
-      'camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()',
+      'camera=(), display-capture=(), fullscreen=(self "https://*.vidyard.com" "http://*.vidyard.com"), geolocation=(), microphone=(), web-share=()',
   }),
   permissionsPolicyReportOnly: schema.maybe(schema.oneOf([schema.string(), schema.literal(null)])),
   disableEmbedding: schema.boolean({ defaultValue: false }), // is used to control X-Frame-Options and CSP headers

x-pack/test_serverless/api_integration/test_suites/common/platform_security/response_headers.ts

@@ -20,7 +20,7 @@ export default function ({ getService }: FtrProviderContext) {
     const baseCSP = `script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; frame-ancestors 'self'`;
     const defaultCOOP = 'same-origin';
     const defaultPermissionsPolicy =
-      'camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=();report-to=violations-endpoint';
+      'camera=(), display-capture=(), fullscreen=(self "https://*.vidyard.com" "http://*.vidyard.com"), geolocation=(), microphone=(), web-share=();report-to=violations-endpoint';
     const defaultStrictTransportSecurity = 'max-age=31536000; includeSubDomains';
     const defaultReferrerPolicy = 'strict-origin-when-cross-origin';
     const defaultXContentTypeOptions = 'nosniff';