COmanage · Ioannis · Jan 24, 2025 · Jan 22, 2025
diff --git a/app/templates/element/httpHeaders.php b/app/templates/element/httpHeaders.php
@@ -0,0 +1,43 @@
+<?php
+  /**
+   * COmanage Registry HTTP Headers
+   *
+   * Portions licensed to the University Corporation for Advanced Internet
+   * Development, Inc. ("UCAID") under one or more contributor license agreements.
+   * See the NOTICE file distributed with this work for additional information
+   * regarding copyright ownership.
+   *
+   * UCAID licenses this file to you under the Apache License, Version 2.0
+   * (the "License"); you may not use this file except in compliance with the
+   * License. You may obtain a copy of the License at:
+   *
+   * http://www.apache.org/licenses/LICENSE-2.0
+   *
+   * Unless required by applicable law or agreed to in writing, software
+   * distributed under the License is distributed on an "AS IS" BASIS,
+   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   * See the License for the specific language governing permissions and
+   * limitations under the License.
+   *
+   * @link          http://www.internet2.edu/comanage COmanage Project
+   * @package       registry
+   * @since         COmanage Registry v5.1.0
+   * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+   */
+
+  // As a general rule, all Registry pages are post-login and so shouldn't be cached
+  header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
+  header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
+  header("Pragma: no-cache");
+
+  header("Content-Security-Policy: object-src 'none'; base-uri 'none'; frame-ancestors 'self'");
+  header("X-Content-Type-Options: nosniff");
+  header("Permissions-Policy: accelerometer=(),autoplay=(),camera=(),cross-origin-isolated=(),display-capture=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),keyboard-map=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=(),gamepad=(),hid=(),idle-detection=(),interest-cohort=(),serial=()");
+  header("Cross-Origin-Opener-Policy: same-origin");
+  header("X-Permitted-Cross-Domain-Policies: none");
+
+  // Add X-UA-Compatible header for IE
+  if (isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)) {
+    header('X-UA-Compatible: IE=edge,chrome=1');
+  }
+
diff --git a/app/templates/layout/default.php b/app/templates/layout/default.php
@@ -29,16 +29,7 @@
 
 use App\Lib\Enum\ApplicationStateEnum;
 
-// As a general rule, all Registry pages are post-login and so shouldn't be cached
-header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
-header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
-header("Pragma: no-cache");
-header("Content-Security-Policy: frame-ancestors 'self'");
-
-// Add X-UA-Compatible header for IE
-if(isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)) {
-  header('X-UA-Compatible: IE=edge,chrome=1');
-}
+print $this->element('httpHeaders');
 
 // Theme Dark mode state
 $darkModeState = $this->ApplicationState->getValue(ApplicationStateEnum::ProfileDarkMode, 'auto');

diff --git a/app/templates/layout/error.php b/app/templates/layout/error.php
@@ -29,16 +29,7 @@
 
 use App\Lib\Enum\ApplicationStateEnum;
 
-// As a general rule, all Registry pages are post-login and so shouldn't be cached
-header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
-header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
-header("Pragma: no-cache");
-header("Content-Security-Policy: frame-ancestors 'self'");
-
-// Add X-UA-Compatible header for IE
-if(isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)) {
-  header('X-UA-Compatible: IE=edge,chrome=1');
-}
+print $this->element('httpHeaders');
 
 // Theme Dark mode state
 $darkModeState = $this->ApplicationState->getValue(ApplicationStateEnum::ProfileDarkMode, 'auto');

diff --git a/app/templates/layout/iframe.php b/app/templates/layout/iframe.php
@@ -29,16 +29,7 @@
 
 use App\Lib\Enum\ApplicationStateEnum;
 
-// As a general rule, all Registry pages are post-login and so shouldn't be cached
-header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
-header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
-header("Pragma: no-cache");
-header("Content-Security-Policy: frame-ancestors 'self'");
-
-// Add X-UA-Compatible header for IE
-if(isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)) {
-  header('X-UA-Compatible: IE=edge,chrome=1');
-}
+print $this->element('httpHeaders');
 
 // Theme Dark mode state
 $darkModeState = $this->ApplicationState->getValue(ApplicationStateEnum::ProfileDarkMode, 'auto');