COmanage · arlen · Jan 25, 2025 · Jan 22, 2025
diff --git a/app/templates/element/httpHeaders.php b/app/templates/element/httpHeaders.php
@@ -0,0 +1,42 @@
+<?php
+  /**
+   * COmanage Match HTTP Headers
+   *
+   * Portions licensed to the University Corporation for Advanced Internet
+   * Development, Inc. ("UCAID") under one or more contributor license agreements.
+   * See the NOTICE file distributed with this work for additional information
+   * regarding copyright ownership.
+   *
+   * UCAID licenses this file to you under the Apache License, Version 2.0
+   * (the "License"); you may not use this file except in compliance with the
+   * License. You may obtain a copy of the License at:
+   *
+   * http://www.apache.org/licenses/LICENSE-2.0
+   *
+   * Unless required by applicable law or agreed to in writing, software
+   * distributed under the License is distributed on an "AS IS" BASIS,
+   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   * See the License for the specific language governing permissions and
+   * limitations under the License.
+   *
+   * @link          http://www.internet2.edu/comanage COmanage Project
+   * @package       match
+   * @since         COmanage Match v1.0.0
+   * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+   */
+
+// As a general rule, all Match pages are post-login and so shouldn't be cached
+  header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
+  header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
+  header("Pragma: no-cache");
+
+  header("Content-Security-Policy: object-src 'none'; base-uri 'none'; frame-ancestors 'self'");
+  header("X-Content-Type-Options: nosniff");
+  header("Permissions-Policy: accelerometer=(),autoplay=(),camera=(),cross-origin-isolated=(),display-capture=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),keyboard-map=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=(),gamepad=(),hid=(),idle-detection=(),interest-cohort=(),serial=()");
+  header("Cross-Origin-Opener-Policy: same-origin");
+  header("X-Permitted-Cross-Domain-Policies: none");
+
+// Add X-UA-Compatible header for IE
+  if (isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)) {
+    header('X-UA-Compatible: IE=edge,chrome=1');
+  }
diff --git a/app/templates/layout/default.php b/app/templates/layout/default.php
@@ -25,17 +25,8 @@
  * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
  */
 
-declare(strict_types = 1);
-
-// As a general rule, all Match pages are post-login and so shouldn't be cached
-header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
-header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
-header("Pragma: no-cache");
-
-// Add X-UA-Compatible header for IE
-if(isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)) {
-  header('X-UA-Compatible: IE=edge,chrome=1');
-}
+  declare(strict_types = 1);
+  print $this->element('httpHeaders');
 ?>
 <!DOCTYPE html>
 <html lang="<?= __('match.meta.lang'); ?>">

diff --git a/app/templates/layout/error.php b/app/templates/layout/error.php
@@ -12,6 +12,7 @@
  * @since         0.10.0
  * @license       https://opensource.org/licenses/mit-license.php MIT License
  */
+  print $this->element('httpHeaders');
 ?>
 <!DOCTYPE html>
 <html>