From e54c6f8334a969b08785940cdf8ec94ac20b7ea6 Mon Sep 17 00:00:00 2001
From: HollyChou <128659251+Hollychou924@users.noreply.github.com>
Date: Fri, 20 Mar 2026 23:45:14 +0800
Subject: [PATCH] fix(gateway): allow microphone access for control-ui STT
 (#51085)

The Permissions-Policy header blocked microphone=() for all origins,
preventing the built-in STT mic button in control-ui chat from working.
The Web Speech API's SpeechRecognition.start() fails silently with:
  'Permissions policy violation: microphone is not allowed in this document'

Change microphone=() to microphone=(self) so the gateway's own origin
can request mic access while still blocking third-party iframes.

Closes #51085
---
 src/gateway/http-common.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/gateway/http-common.ts b/src/gateway/http-common.ts
index fdbf70b3594..057f1741e4c 100644
--- a/src/gateway/http-common.ts
+++ b/src/gateway/http-common.ts
@@ -14,7 +14,7 @@ export function setDefaultSecurityHeaders(
 ) {
   res.setHeader("X-Content-Type-Options", "nosniff");
   res.setHeader("Referrer-Policy", "no-referrer");
-  res.setHeader("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
+  res.setHeader("Permissions-Policy", "camera=(), microphone=(self), geolocation=()");
   const strictTransportSecurity = opts?.strictTransportSecurity;
   if (typeof strictTransportSecurity === "string" && strictTransportSecurity.length > 0) {
     res.setHeader("Strict-Transport-Security", strictTransportSecurity);