Merge branch 'aarthy/headers' into 'enterprise'

ci bot · ci bot · commit e34d0516a0cc · 2025-08-22T17:58:38.000Z
fix(security): add cors header

See merge request dkinternal/observability/dataops-observability!52
diff --git a/observability_ui/nginx.conf b/observability_ui/nginx.conf
@@ -70,6 +70,7 @@ http {
       add_header Referrer-Policy strict-origin-when-cross-origin;
       add_header Permissions-Policy "attribution-reporting=(self),deferred-fetch=(self),deferred-fetch-minimal=(self),fullscreen=(self),storage-access=(self),web-share=(self),accelerometer=(),autoplay=(),bluetooth=(),camera=(),captured-surface-control=(),compute-pressure=(),cross-origin-isolated=(),display-capture=(),encrypted-media=(),gamepad=(),geolocation=(),gyroscope=(),hid=(),identity-credentials-get=(),idle-detection=(),language-detector=(),microphone=(),local-fonts=(),midi=(),otp-credentials=(),payment=(),picture-in-picture=(),publickey-credentials-create=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),summarizer=(),translator=(),usb=(),window-management=(),xr-spatial-tracking=()";
       add_header Cross-Origin-Opener-Policy same-origin;
+      add_header Cross-Origin-Resource-Policy same-origin;
       add_header Cross-Origin-Embedder-Policy require-corp;
       add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-${request_id}' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; frame-ancestors 'none'; connect-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net ${api_hostname}; ${csp_extra}" always;
     }

Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,7 @@ http {`
`70`	`70`	`add_header Referrer-Policy strict-origin-when-cross-origin;`
`71`	`71`	add_header Permissions-Policy "attribution-reporting=(self),deferred-fetch=(self),deferred-fetch-minimal=(self),fullscreen=(self),storage-access=(self),web-share=(self),accelerometer=(),autoplay=(),bluetooth=(),camera=(),captured-surface-control=(),compute-pressure=(),cross-origin-isolated=(),display-capture=(),encrypted-media=(),gamepad=(),geolocation=(),gyroscope=(),hid=(),identity-credentials-get=(),idle-detection=(),language-detector=(),microphone=(),local-fonts=(),midi=(),otp-credentials=(),payment=(),picture-in-picture=(),publickey-credentials-create=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),summarizer=(),translator=(),usb=(),window-management=(),xr-spatial-tracking=()";
`72`	`72`	`add_header Cross-Origin-Opener-Policy same-origin;`
	`73`	`+ add_header Cross-Origin-Resource-Policy same-origin;`
`73`	`74`	`add_header Cross-Origin-Embedder-Policy require-corp;`
`74`	`75`	`add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-${request_id}' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; frame-ancestors 'none'; connect-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net ${api_hostname}; ${csp_extra}" always;`
`75`	`76`	`}`