update feature-policy header (#3193)

Updates the Feature-Policy header to a Permissions-Policy header.

Also, add hidden username fields to some forms to suppress console warnings.

client/webserver/middleware.go

@@ -30,7 +30,7 @@ func (s *WebServer) securityMiddleware(next http.Handler) http.Handler {
 		w.Header().Set("X-Content-Type-Options", "nosniff")
 		w.Header().Set("Referrer-Policy", "no-referrer")
 		w.Header().Set("Content-Security-Policy", s.csp)
-		w.Header().Set("Feature-Policy", "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'self'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'self'; payment 'none'")
+		w.Header().Set("Permissions-Policy", "geolocation=(), midi=(), sync-xhr=(self), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(self), payment=()")
 		next.ServeHTTP(w, r)
 	})
 }

client/webserver/site/src/html/init.tmpl

@@ -9,6 +9,7 @@
         <span class="ico-locked fs20 grey me-2"></span>
         <span>[[[Set App Password]]]</span>
       </header>
+      <input type="text" name="username" autocomplete="username" class="d-hide"> <!-- to suppress console warning -->
       <div class="fs18">[[[reg_set_app_pw_msg]]]</div>
       <div class="mt-3 border-top">
         <label for="appPW">[[[Password]]]</label>

client/webserver/site/src/html/wallets.tmpl

@@ -817,6 +817,7 @@
       <div id="exportDisclaimer">
         [[[export_wallet_disclaimer]]]
       </div>
+      <input type="text" name="username" autocomplete="username" class="d-hide"> <!-- to suppress console warning -->
       <div class="text-start">
         <label for="exportWalletPW">[[[Password]]]</label>
         <input type="password" id="exportWalletPW" autocomplete="current-password">