Add Cross Origin Policies headers

Ref https://github.com/h5bp/server-configs-apache/issues/250
This commit is contained in:
Léo Colombaro 2021-06-28 14:46:32 +02:00
parent 36310b927b
commit 25a569d97d
No known key found for this signature in database
GPG Key ID: 687B480A6D4F735F
2 changed files with 59 additions and 0 deletions

View File

@ -0,0 +1,44 @@
# ----------------------------------------------------------------------
# | Cross Origin Policy |
# ----------------------------------------------------------------------
# Set strict a Cross Origin Policy to mitigate information leakage.
#
# (1) Cross-Origin-Embedder-Policy prevents a document from loading any
# cross-origin resources that dont explicitly grant the document
# permission.
# https://html.spec.whatwg.org/multipage/origin.html#coep
# https://owasp.org/www-project-secure-headers/#cross-origin-embedder-policy
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
#
# (2) Cross-Origin-Opener-Policy allows you to ensure a top-level document does
# not share a browsing context group with cross-origin documents.
# https://html.spec.whatwg.org/multipage/origin.html#cross-origin-opener-policies
# https://owasp.org/www-project-secure-headers/#cross-origin-opener-policy
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
#
# (3) Cross-Origin-Resource-Policy allows to define a policy that lets web
# sites and applications opt in to protection against certain requests from
# other origins, to mitigate speculative side-channel attacks.
# https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
# https://owasp.org/www-project-secure-headers/#cross-origin-resource-policy
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy
# https://resourcepolicy.fyi/
#
# To check your Cross Origin Policy, you can use an online service, such as:
# https://securityheaders.com/
# https://observatory.mozilla.org/
#
# https://web.dev/coop-coep/
# https://web.dev/why-coop-coep/
# https://web.dev/cross-origin-isolation-guide/
# https://scotthelme.co.uk/coop-and-coep/
# (1)
add_header Cross-Origin-Embedder-Policy $coep_policy always;
# (2)
add_header Cross-Origin-Opener-Policy $coop_policy always;
# (3)
add_header Cross-Origin-Resource-Policy $corp_policy always;

View File

@ -120,6 +120,21 @@ http {
~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin";
}
# Add Cross-Origin-Policies for HTML documents.
# h5bp/security/cross-origin-policy.conf
# Cross-Origin-Embedder-Policy
map $sent_http_content_type $coep_policy {
~*text/(css|html|javascript)|application\/pdf|xml "require-corp";
}
# Cross-Origin-Opener-Policy
map $sent_http_content_type $coop_policy {
~*text/(css|html|javascript)|application\/pdf|xml "same-origin";
}
# Cross-Origin-Resource-Policy
map $sent_http_content_type $corp_policy {
~*text/(css|html|javascript)|application\/pdf|xml "same-origin";
}
# Add Access-Control-Allow-Origin.
# h5bp/cross-origin/requests.conf
map $sent_http_content_type $cors {