Cross-Origin-Embedder-Policy and Cross-Origin-Resource-Policy headers

Implement proposal: #6176

install_files/ansible-base/roles/app/templates/sites-available/focal/journalist.conf

@@ -31,6 +31,8 @@ Header onsuccess unset X-Download-Options
 Header onsuccess unset Content-Security-Policy
 Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';"
 Header set Cross-Origin-Opener-Policy "same-origin"
+Header set Cross-Origin-Embedder-Policy "same-origin"
+Header set Cross-Origin-Resource-Policy "same-site"
 
 # Limit the max submitted size of requests.
 LimitRequestBody 524288000

install_files/ansible-base/roles/app/templates/sites-available/focal/source.conf

@@ -52,6 +52,8 @@ Header onsuccess unset X-Download-Options
 Header onsuccess unset X-Content-Type-Options
 Header always set X-Content-Type-Options "nosniff"
 Header set Cross-Origin-Opener-Policy "same-origin"
+Header set Cross-Origin-Embedder-Policy "same-origin"
+Header set Cross-Origin-Resource-Policy "same-site"
 
 Header unset Etag
 

molecule/testinfra/vars/app-qubes-staging.yml

@@ -4,6 +4,8 @@ wanted_apache_headers:
   X-Content-Type-Options: nosniff
   Content-Security-Policy: "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';"
   Cross-Origin-Opener-Policy: "same-origin"
+  Cross-Origin-Embedder-Policy: "same-origin"
+  Cross-Origin-Resource-Policy: "same-site"
 
 
 securedrop_venv: /opt/venvs/securedrop-app-code

molecule/testinfra/vars/app-staging.yml

@@ -4,6 +4,8 @@ wanted_apache_headers:
   X-Content-Type-Options: nosniff
   Content-Security-Policy: "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';"
   Cross-Origin-Opener-Policy: "same-origin"
+  Cross-Origin-Embedder-Policy: "same-origin"
+  Cross-Origin-Resource-Policy: "same-site"
 
 securedrop_venv: /opt/venvs/securedrop-app-code
 securedrop_venv_bin: /opt/venvs/securedrop-app-code/bin

molecule/testinfra/vars/prod.yml

@@ -4,6 +4,8 @@ wanted_apache_headers:
   X-Content-Type-Options: nosniff
   Content-Security-Policy: "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';"
   Cross-Origin-Opener-Policy: "same-origin"
+  Cross-Origin-Embedder-Policy: "same-origin"
+  Cross-Origin-Resource-Policy: "same-site"
 
 securedrop_venv: /opt/venvs/securedrop-app-code
 securedrop_venv_bin: "/opt/venvs/securedrop-app-code/bin"

molecule/testinfra/vars/prodVM.yml

@@ -4,6 +4,8 @@ wanted_apache_headers:
   X-Content-Type-Options: nosniff
   Content-Security-Policy: "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';"
   Cross-Origin-Opener-Policy: "same-origin"
+  Cross-Origin-Embedder-Policy: "same-origin"
+  Cross-Origin-Resource-Policy: "same-site"
 
 securedrop_venv: /opt/venvs/securedrop-app-code
 securedrop_venv_bin: "/opt/venvs/securedrop-app-code/bin"

molecule/testinfra/vars/qubes-staging.yml

@@ -4,6 +4,8 @@ wanted_apache_headers:
   X-Content-Type-Options: nosniff
   Content-Security-Policy: "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';"
   Cross-Origin-Opener-Policy: "same-origin"
+  Cross-Origin-Embedder-Policy: "same-origin"
+  Cross-Origin-Resource-Policy: "same-site"
 
 securedrop_venv: /opt/venvs/securedrop-app-code
 securedrop_venv_bin: "/opt/venvs/securedrop-app-code/bin"

molecule/testinfra/vars/staging.yml

@@ -4,6 +4,8 @@ wanted_apache_headers:
   X-Content-Type-Options: nosniff
   Content-Security-Policy: "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';"
   Cross-Origin-Opener-Policy: "same-origin"
+  Cross-Origin-Embedder-Policy: "same-origin"
+  Cross-Origin-Resource-Policy: "same-site"
 
 securedrop_venv: /opt/venvs/securedrop-app-code
 securedrop_venv_bin: /opt/venvs/securedrop-app-code/bin