Nginx: add NGINX_CORS_RESOURCE_POLICY support

Author: djbe

README.md

@@ -17,6 +17,7 @@ Images with `nginx` can be configured using the following environment variables.
 | Environment Key | Applied | Description | Default |
 |-----------------|---------|-------------|---------|
 | NGINX_CORS_ORIGINS | Every run | Comma separated list of hostnames (without `https://`) | `*` |
+| NGINX_CORS_RESOURCE_POLICY | Every run | `Cross-Origin-Resource-Policy` value | `same-origin` |
 
 ### Paths
 

common/config/nginx/snippets/headers/security-static-content.conf

@@ -1,7 +1,7 @@
 include /etc/nginx/snippets/headers/security-base.conf;
 
 # Prevent loading resources from other pages
-add_header 'Cross-Origin-Resource-Policy' 'same-origin';
+add_header 'Cross-Origin-Resource-Policy' $cors_resource_policy;
 
 # Prevent indexing
 add_header 'X-Robots-Tag' 'none';

common/config/nginx/snippets/headers/security-web-content.conf

@@ -14,7 +14,7 @@ include /etc/nginx/snippets/headers/security-base.conf;
 add_header 'Cross-Origin-Opener-Policy' 'same-origin';
 
 # Prevent loading resources from other pages
-add_header 'Cross-Origin-Resource-Policy' 'same-origin';
+add_header 'Cross-Origin-Resource-Policy' $cors_resource_policy;
 
 # No tracking
 add_header 'Permissions-Policy' 'interest-cohort=()';

common/scripts/startup/50-env-configure-nginx-cors.sh

@@ -6,11 +6,13 @@ set -euo pipefail
 #
 # Inputs:
 # - NGINX_CORS_ORIGINS: defaults to '*'
+# - NGINX_CORS_RESOURCE_POLICY: defaults to 'same-origin'
 
 # Set defaults & clean up (normalize, trim, …)
 NGINX_CONFIG_FILE=/etc/nginx/snippets/vars/cors-origin.conf
 NGINX_CORS_ORIGINS=$(echo "${NGINX_CORS_ORIGINS:-*}" \
   | sed 's/,/ /g; s/^ *//; s/ *$//; s/  */ /g')
+NGINX_CORS_RESOURCE_POLICY="${NGINX_CORS_RESOURCE_POLICY:-same-origin}"
 
 # Check nginx structure
 if [ ! -f "${NGINX_CONFIG_FILE}" ]; then
@@ -22,7 +24,7 @@ if [ "$NGINX_CORS_ORIGINS" = "*" ]; then
   echo "Nginx: configuring CORS origin with wildcard (allow all)…"
   cat <<EOF > "${NGINX_CONFIG_FILE}"
 # Allow all origins
-map "\$http_origin" \$cors_origin {
+map "" \$cors_origin {
   default "*";
 }
 EOF
@@ -53,3 +55,12 @@ map "\$request_method:\$cors_origin" \$cors_preflight {
   default         "";
 }
 EOF
+
+# Variables used for resource `Cross-Origin-Resource-Policy`
+echo "Nginx: configuring CORS resource policy with '${NGINX_CORS_RESOURCE_POLICY}'…"
+cat <<EOF >> "${NGINX_CONFIG_FILE}"
+# Resource policy
+map "" \$cors_resource_policy {
+  default "${NGINX_CORS_RESOURCE_POLICY}";
+}
+EOF

tests/nuxt-base/secure/cors-origins/env.properties

@@ -1 +1,2 @@
 NGINX_CORS_ORIGINS=apple.com,google.com
+NGINX_CORS_RESOURCE_POLICY=cross-origin

tests/nuxt-base/secure/cors-origins/goss.yaml

@@ -20,6 +20,14 @@ snippets:
     url: http://localhost:8080/style.css
 
 http:
+  cors index:
+    body:
+      - Hey from index.mjs
+    headers:
+      - 'Cross-Origin-Resource-Policy: cross-origin'
+    status: 200
+    url: http://localhost:8080/
+
   # Normal requests
   cors api apple:
     <<: *cors-api
@@ -40,13 +48,15 @@ http:
     headers:
       - 'Access-Control-Allow-Origin: https://apple.com'
       - 'Access-Control-Allow-Credentials: true'
+      - 'Cross-Origin-Resource-Policy: cross-origin'
     request-headers:
       - 'Origin: https://apple.com'
   cors resource google:
     <<: *cors-resource
     headers:
       - 'Access-Control-Allow-Origin: https://google.com'
       - 'Access-Control-Allow-Credentials: true'
+      - 'Cross-Origin-Resource-Policy: cross-origin'
     request-headers:
       - 'Origin: https://google.com'
 

tests/nuxt-base/unsecured/cors-origins/env.properties

@@ -1 +1,2 @@
 NGINX_CORS_ORIGINS=apple.com,google.com
+NGINX_CORS_RESOURCE_POLICY=cross-origin

tests/nuxt-base/unsecured/cors-origins/goss.yaml

@@ -20,6 +20,14 @@ snippets:
     url: http://localhost:8080/style.css
 
 http:
+  cors index:
+    body:
+      - Hey from index.mjs
+    headers:
+      - 'Cross-Origin-Resource-Policy: cross-origin'
+    status: 200
+    url: http://localhost:8080/
+
   # Normal requests
   cors api apple:
     <<: *cors-api
@@ -40,13 +48,15 @@ http:
     headers:
       - 'Access-Control-Allow-Origin: https://apple.com'
       - 'Access-Control-Allow-Credentials: true'
+      - 'Cross-Origin-Resource-Policy: cross-origin'
     request-headers:
       - 'Origin: https://apple.com'
   cors resource google:
     <<: *cors-resource
     headers:
       - 'Access-Control-Allow-Origin: https://google.com'
       - 'Access-Control-Allow-Credentials: true'
+      - 'Cross-Origin-Resource-Policy: cross-origin'
     request-headers:
       - 'Origin: https://google.com'
 

tests/payload-base/final/cors-origins/env.properties

@@ -1 +1,2 @@
 NGINX_CORS_ORIGINS=apple.com,google.com
+NGINX_CORS_RESOURCE_POLICY=cross-origin

tests/payload-base/final/cors-origins/goss.yaml

@@ -20,6 +20,14 @@ snippets:
     url: http://localhost:8080/style.css
 
 http:
+  cors index:
+    body:
+      - Hey from server.js
+    headers:
+      - 'Cross-Origin-Resource-Policy: cross-origin'
+    status: 200
+    url: http://localhost:8080/
+
   # Normal requests
   cors api apple:
     <<: *cors-api
@@ -40,13 +48,15 @@ http:
     headers:
       - 'Access-Control-Allow-Origin: https://apple.com'
       - 'Access-Control-Allow-Credentials: true'
+      - 'Cross-Origin-Resource-Policy: cross-origin'
     request-headers:
       - 'Origin: https://apple.com'
   cors resource google:
     <<: *cors-resource
     headers:
       - 'Access-Control-Allow-Origin: https://google.com'
       - 'Access-Control-Allow-Credentials: true'
+      - 'Cross-Origin-Resource-Policy: cross-origin'
     request-headers:
       - 'Origin: https://google.com'