From 3db492fce824d7c41000ecdae9f4e141eecd0175 Mon Sep 17 00:00:00 2001
From: Arlen Johnson <arlen@sphericalcowgroup.com>
Date: Fri, 24 Jan 2025 21:41:18 -0500
Subject: [PATCH] Add recommended HTTP headers and move them to an element.
(CO-2720) (#66)
---
app/templates/element/httpHeaders.php | 42 +++++++++++++++++++++++++++
app/templates/layout/default.php | 13 ++-------
app/templates/layout/error.php | 1 +
3 files changed, 45 insertions(+), 11 deletions(-)
create mode 100644 app/templates/element/httpHeaders.php
diff --git a/app/templates/element/httpHeaders.php b/app/templates/element/httpHeaders.php
new file mode 100644
index 000000000..bcf393a49
--- /dev/null
+++ b/app/templates/element/httpHeaders.php
@@ -0,0 +1,42 @@
+<?php
+ /**
+ * COmanage Match HTTP Headers
+ *
+ * Portions licensed to the University Corporation for Advanced Internet
+ * Development, Inc. ("UCAID") under one or more contributor license agreements.
+ * See the NOTICE file distributed with this work for additional information
+ * regarding copyright ownership.
+ *
+ * UCAID licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with the
+ * License. You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * @link http://www.internet2.edu/comanage COmanage Project
+ * @package match
+ * @since COmanage Match v1.0.0
+ * @license Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+ */
+
+// As a general rule, all Match pages are post-login and so shouldn't be cached
+ header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
+ header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
+ header("Pragma: no-cache");
+
+ header("Content-Security-Policy: object-src 'none'; base-uri 'none'; frame-ancestors 'self'");
+ header("X-Content-Type-Options: nosniff");
+ header("Permissions-Policy: accelerometer=(),autoplay=(),camera=(),cross-origin-isolated=(),display-capture=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),keyboard-map=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=(),gamepad=(),hid=(),idle-detection=(),interest-cohort=(),serial=()");
+ header("Cross-Origin-Opener-Policy: same-origin");
+ header("X-Permitted-Cross-Domain-Policies: none");
+
+// Add X-UA-Compatible header for IE
+ if (isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)) {
+ header('X-UA-Compatible: IE=edge,chrome=1');
+ }
diff --git a/app/templates/layout/default.php b/app/templates/layout/default.php
index 8a8628603..72eee77af 100644
--- a/app/templates/layout/default.php
+++ b/app/templates/layout/default.php
@@ -25,17 +25,8 @@
* @license Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
*/
-declare(strict_types = 1);
-
-// As a general rule, all Match pages are post-login and so shouldn't be cached
-header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
-header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
-header("Pragma: no-cache");
-
-// Add X-UA-Compatible header for IE
-if(isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)) {
- header('X-UA-Compatible: IE=edge,chrome=1');
-}
+ declare(strict_types = 1);
+ print $this->element('httpHeaders');
?>
<!DOCTYPE html>
<html lang="<?= __('match.meta.lang'); ?>">
diff --git a/app/templates/layout/error.php b/app/templates/layout/error.php
index 747ad0331..39b0906ff 100644
--- a/app/templates/layout/error.php
+++ b/app/templates/layout/error.php
@@ -12,6 +12,7 @@
* @since 0.10.0
* @license https://opensource.org/licenses/mit-license.php MIT License
*/
+ print $this->element('httpHeaders');
?>
<!DOCTYPE html>
<html>