From b9a50047705c1854f3cbe6601f9acf7dbccc6017 Mon Sep 17 00:00:00 2001 From: Arlen Johnson Date: Wed, 25 Jun 2025 15:20:13 -0400 Subject: [PATCH 1/3] Add Cross-Origin-Embedder-Policy to Match (CO-2720) --- app/templates/element/httpHeaders.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/templates/element/httpHeaders.php b/app/templates/element/httpHeaders.php index 9a2ab989..bae379c6 100644 --- a/app/templates/element/httpHeaders.php +++ b/app/templates/element/httpHeaders.php @@ -29,7 +29,7 @@ header("Expires: Thursday, 10-Jan-69 00:00:00 GMT"); header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate"); header("Pragma: no-cache"); - + // CakePHP adds inline event handlers ("oninput" and "oninvalid") to fields as part of FormHelper. // So as not to throw CSP errors, we must include "script-src-attr 'unsafe-inline'". header("Content-Security-Policy: object-src 'none'; base-uri 'none'; frame-ancestors 'self'; script-src 'self' 'nonce-$vv_js_nonce'; script-src-attr 'unsafe-inline';"); @@ -37,6 +37,7 @@ header("X-Content-Type-Options: nosniff"); header("Permissions-Policy: accelerometer=(),autoplay=(),camera=(),cross-origin-isolated=(),display-capture=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),keyboard-map=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=(),gamepad=(),hid=(),idle-detection=(),interest-cohort=(),serial=()"); header("Cross-Origin-Opener-Policy: same-origin"); + header("Cross-Origin-Embedder-Policy: require-corp"); header("X-Permitted-Cross-Domain-Policies: none"); // Add X-UA-Compatible header for IE From cd9ba6a9bd996313dcbf5276856a110a0e741c27 Mon Sep 17 00:00:00 2001 From: Arlen Johnson Date: Wed, 25 Jun 2025 15:58:12 -0400 Subject: [PATCH 2/3] Fix quotes for COEP and COOP to be strictly standards compliant (CO-2720) --- app/templates/element/httpHeaders.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/templates/element/httpHeaders.php b/app/templates/element/httpHeaders.php index bae379c6..4e585767 100644 --- a/app/templates/element/httpHeaders.php +++ b/app/templates/element/httpHeaders.php @@ -36,8 +36,8 @@ header("X-Content-Type-Options: nosniff"); header("Permissions-Policy: accelerometer=(),autoplay=(),camera=(),cross-origin-isolated=(),display-capture=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),keyboard-map=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=(),gamepad=(),hid=(),idle-detection=(),interest-cohort=(),serial=()"); - header("Cross-Origin-Opener-Policy: same-origin"); - header("Cross-Origin-Embedder-Policy: require-corp"); + header('Cross-Origin-Opener-Policy: "same-origin"'); + header('Cross-Origin-Embedder-Policy: "require-corp"'); header("X-Permitted-Cross-Domain-Policies: none"); // Add X-UA-Compatible header for IE From 84d370c869b47d942491e78603cc4f94257f6d06 Mon Sep 17 00:00:00 2001 From: Arlen Johnson Date: Wed, 23 Jul 2025 16:17:03 -0400 Subject: [PATCH 3/3] White space refactor (post rebase) (CO-2720) --- app/templates/element/httpHeaders.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/templates/element/httpHeaders.php b/app/templates/element/httpHeaders.php index 4e585767..7268cff7 100644 --- a/app/templates/element/httpHeaders.php +++ b/app/templates/element/httpHeaders.php @@ -29,7 +29,7 @@ header("Expires: Thursday, 10-Jan-69 00:00:00 GMT"); header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate"); header("Pragma: no-cache"); - + // CakePHP adds inline event handlers ("oninput" and "oninvalid") to fields as part of FormHelper. // So as not to throw CSP errors, we must include "script-src-attr 'unsafe-inline'". header("Content-Security-Policy: object-src 'none'; base-uri 'none'; frame-ancestors 'self'; script-src 'self' 'nonce-$vv_js_nonce'; script-src-attr 'unsafe-inline';");