Add Cross-Origin-Embedder-Policy to Match (CO-2720)

COmanage · Jul 23, 2025 · b9a5004 · b9a5004
1 parent 80a837a
commit b9a5004
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/app/templates/element/httpHeaders.php b/app/templates/element/httpHeaders.php
@@ -29,14 +29,15 @@
   header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
   header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
   header("Pragma: no-cache");
-
+  
   // CakePHP adds inline event handlers ("oninput" and "oninvalid") to fields as part of FormHelper.
   // So as not to throw CSP errors, we must include "script-src-attr 'unsafe-inline'".
   header("Content-Security-Policy: object-src 'none'; base-uri 'none'; frame-ancestors 'self'; script-src 'self' 'nonce-$vv_js_nonce'; script-src-attr 'unsafe-inline';");
 
   header("X-Content-Type-Options: nosniff");
   header("Permissions-Policy: accelerometer=(),autoplay=(),camera=(),cross-origin-isolated=(),display-capture=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),keyboard-map=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=(),gamepad=(),hid=(),idle-detection=(),interest-cohort=(),serial=()");
   header("Cross-Origin-Opener-Policy: same-origin");
+  header("Cross-Origin-Embedder-Policy: require-corp");
   header("X-Permitted-Cross-Domain-Policies: none");
 
   // Add X-UA-Compatible header for IE