diff --git a/app/templates/element/httpHeaders.php b/app/templates/element/httpHeaders.php index 9a2ab9899..d25414349 100644 --- a/app/templates/element/httpHeaders.php +++ b/app/templates/element/httpHeaders.php @@ -32,12 +32,14 @@ // CakePHP adds inline event handlers ("oninput" and "oninvalid") to fields as part of FormHelper. // So as not to throw CSP errors, we must include "script-src-attr 'unsafe-inline'". - header("Content-Security-Policy: object-src 'none'; base-uri 'none'; frame-ancestors 'self'; script-src 'self' 'nonce-$vv_js_nonce'; script-src-attr 'unsafe-inline';"); + header("Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'self'; script-src 'self' 'nonce-$vv_js_nonce'; script-src-attr 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;"); header("X-Content-Type-Options: nosniff"); - header("Permissions-Policy: accelerometer=(),autoplay=(),camera=(),cross-origin-isolated=(),display-capture=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),keyboard-map=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=(),gamepad=(),hid=(),idle-detection=(),interest-cohort=(),serial=()"); - header("Cross-Origin-Opener-Policy: same-origin"); + header("Permissions-Policy: accelerometer=(),autoplay=(),camera=(),display-capture=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),keyboard-map=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=(),gamepad=(),hid=(),idle-detection=(),interest-cohort=(),serial=()"); + header('Cross-Origin-Opener-Policy: same-origin'); + header('Cross-Origin-Embedder-Policy: require-corp'); header("X-Permitted-Cross-Domain-Policies: none"); + header("Referrer-Policy: strict-origin-when-cross-origin"); // Add X-UA-Compatible header for IE if (isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)) {