[PROPOSAL] Add plugin-security.policy

[lukas-vlcek]

What/Why

What are you proposing?

Some plugins need plugin-security.policy config file. The plugin template does not have any example or it explain how to add it.

What users have asked for this feature?

n/a

What problems are you trying to solve?

When the plugin needs this file there is no example provided in the template. And there is also no explanation about when/why this file is required.

What is the developer experience going to be?

A new file src/main/plugin-metadata/plugin-security.policy will be added.

Are there any security considerations?

Possibly? If users just carry over this file into their plugins without any modifications.

Are there any breaking changes to the API

No breaking changes. The documentation should make it clear for users to understand if they need this config file or not. If this file is not needed in their case they should be given instructions about how to remove this file (or how to keep it "empty", ie. without any permissions, if that is an option too).

What is the user experience going to be?

The README currently explains how to customize the plugin code. The customization will include a new part about the plugin-security.policy file.

Are there breaking changes to the User Experience?

I do not think there are any.

Why should it be built? Any reason not to?

See above.

What will it take to execute?

• A simple example of plugin-security.policy shall be introduced along with some code changes that really require listed permissions (meaning users will face a real issues if they remove the policy file).
• It should be documented and explained.

Any remaining open questions?

n/a