Cross-Origin security improvements

AFCMS · AFCMS · commit 70168bb959b2 · 2025-10-17T13:15:52.000+02:00
diff --git a/Caddyfile b/Caddyfile
@@ -13,7 +13,9 @@
 		Content-Security-Policy "default-src 'none'; base-uri 'none'; object-src 'none'; frame-ancestors 'none'; frame-src 'none'; form-action 'self'; manifest-src 'self'; worker-src 'self'; connect-src 'self'; img-src 'self' data: blob:; font-src 'self' data:; style-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval'; media-src 'self' blob:; upgrade-insecure-requests"
 		Referrer-Policy "no-referrer"
 		Permissions-Policy "autoplay=(self), fullscreen=(self), picture-in-picture=(), geolocation=(), microphone=(), camera=(), display-capture=(), screen-wake-lock=(), usb=(), serial=(), hid=(), midi=(), payment=(), accelerometer=(), gyroscope=(), magnetometer=(), clipboard-read=(), clipboard-write=(), idle-detection=(), encrypted-media=(), storage-access=(), attribution-reporting=(), browsing-topics=(), run-ad-auction=(), join-ad-interest-group=(), publickey-credentials-get=(), xr-spatial-tracking=(), gamepad=(), sync-xhr=(), local-fonts=(), otp-credentials=(), window-management=()"
+		Cross-Origin-Embedder-Policy "require-corp"
 		Cross-Origin-Resource-Policy "same-origin"
+		Cross-Origin-Opener-Policy "same-origin"
 		Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
 	}
 
diff --git a/vercel.json b/vercel.json
@@ -26,6 +26,14 @@
                     "key": "Cross-Origin-Resource-Policy",
                     "value": "same-origin"
                 },
+                {
+                    "key": "Cross-Origin-Opener-Policy",
+                    "value": "same-origin"
+                },
+                {
+                    "key": "Cross-Origin-Embedder-Policy",
+                    "value": "require-corp"
+                },
                 {
                     "key": "Strict-Transport-Security",
                     "value": "max-age=63072000; includeSubDomains; preload"

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,9 @@`
`13`	`13`	`Content-Security-Policy "default-src 'none'; base-uri 'none'; object-src 'none'; frame-ancestors 'none'; frame-src 'none'; form-action 'self'; manifest-src 'self'; worker-src 'self'; connect-src 'self'; img-src 'self' data: blob:; font-src 'self' data:; style-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval'; media-src 'self' blob:; upgrade-insecure-requests"`
`14`	`14`	`Referrer-Policy "no-referrer"`
`15`	`15`	Permissions-Policy "autoplay=(self), fullscreen=(self), picture-in-picture=(), geolocation=(), microphone=(), camera=(), display-capture=(), screen-wake-lock=(), usb=(), serial=(), hid=(), midi=(), payment=(), accelerometer=(), gyroscope=(), magnetometer=(), clipboard-read=(), clipboard-write=(), idle-detection=(), encrypted-media=(), storage-access=(), attribution-reporting=(), browsing-topics=(), run-ad-auction=(), join-ad-interest-group=(), publickey-credentials-get=(), xr-spatial-tracking=(), gamepad=(), sync-xhr=(), local-fonts=(), otp-credentials=(), window-management=()"
	`16`	`+ Cross-Origin-Embedder-Policy "require-corp"`
`16`	`17`	`Cross-Origin-Resource-Policy "same-origin"`
	`18`	`+ Cross-Origin-Opener-Policy "same-origin"`
`17`	`19`	`Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"`
`18`	`20`	`}`
`19`	`21`