Add Cross Origin Policies headers

Ref h5bp/server-configs-apache#250
h5bp · Jun 28, 2021 · 25a569d · 25a569d
1 parent 36310b9
commit 25a569d
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 0 deletions.
diff --git a/h5bp/security/cross-origin-policy.conf b/h5bp/security/cross-origin-policy.conf
@@ -0,0 +1,44 @@
+# ----------------------------------------------------------------------
+# | Cross Origin Policy                                                |
+# ----------------------------------------------------------------------
+
+# Set strict a Cross Origin Policy to mitigate information leakage.
+#
+# (1) Cross-Origin-Embedder-Policy prevents a document from loading any
+#     cross-origin resources that don’t explicitly grant the document
+#     permission.
+#     https://html.spec.whatwg.org/multipage/origin.html#coep
+#     https://owasp.org/www-project-secure-headers/#cross-origin-embedder-policy
+#     https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
+#
+# (2) Cross-Origin-Opener-Policy allows you to ensure a top-level document does
+#     not share a browsing context group with cross-origin documents.
+#     https://html.spec.whatwg.org/multipage/origin.html#cross-origin-opener-policies
+#     https://owasp.org/www-project-secure-headers/#cross-origin-opener-policy
+#     https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
+#
+# (3) Cross-Origin-Resource-Policy allows to define a policy that lets web
+#     sites and applications opt in to protection against certain requests from
+#     other origins, to mitigate speculative side-channel attacks.
+#     https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
+#     https://owasp.org/www-project-secure-headers/#cross-origin-resource-policy
+#     https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy
+#     https://resourcepolicy.fyi/
+#
+# To check your Cross Origin Policy, you can use an online service, such as:
+# https://securityheaders.com/
+# https://observatory.mozilla.org/
+#
+# https://web.dev/coop-coep/
+# https://web.dev/why-coop-coep/
+# https://web.dev/cross-origin-isolation-guide/
+# https://scotthelme.co.uk/coop-and-coep/
+
+# (1)
+add_header Cross-Origin-Embedder-Policy $coep_policy always;
+
+# (2)
+add_header Cross-Origin-Opener-Policy $coop_policy always;
+
+# (3)
+add_header Cross-Origin-Resource-Policy $corp_policy always;
diff --git a/nginx.conf b/nginx.conf
@@ -120,6 +120,21 @@ http {
     ~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin";
   }
 
+  # Add Cross-Origin-Policies for HTML documents.
+  # h5bp/security/cross-origin-policy.conf
+  # Cross-Origin-Embedder-Policy
+  map $sent_http_content_type $coep_policy {
+    ~*text/(css|html|javascript)|application\/pdf|xml "require-corp";
+  }
+  # Cross-Origin-Opener-Policy
+  map $sent_http_content_type $coop_policy {
+    ~*text/(css|html|javascript)|application\/pdf|xml "same-origin";
+  }
+  # Cross-Origin-Resource-Policy
+  map $sent_http_content_type $corp_policy {
+    ~*text/(css|html|javascript)|application\/pdf|xml "same-origin";
+  }
+
   # Add Access-Control-Allow-Origin.
   # h5bp/cross-origin/requests.conf
   map $sent_http_content_type $cors {