Add Cross-Origin-*-Policy headers management and default values

2026-05-24 09:28:37 +00:00 · 2023-06-06 10:42:40 -04:00 · 2023-06-06 10:42:40 -04:00 · e01c14f11f
commit e01c14f11f
parent 0b3c1a8a04
2 changed files with 49 additions and 1 deletions
--- a/src/common/core/headers/headers.lua
+++ b/src/common/core/headers/headers.lua
@ -13,6 +13,9 @@ function headers:initialize()
    ["REFERRER_POLICY"] = "Referrer-Policy",
    ["PERMISSIONS_POLICY"] = "Permissions-Policy",
    ["FEATURE_POLICY"] = "Feature-Policy",
+    ["CROSS_ORIGIN_OPENER_POLICY"] = "Cross-Origin-Opener-Policy",
+    ["CROSS_ORIGIN_EMBEDDER_POLICY"] = "Cross-Origin-Embedder-Policy",
+    ["CROSS_ORIGIN_RESOURCE_POLICY"] = "Cross-Origin-Resource-Policy",
    ["X_FRAME_OPTIONS"] = "X-Frame-Options",
    ["X_CONTENT_TYPE_OPTIONS"] = "X-Content-Type-Options",
    ["X_XSS_PROTECTION"] = "X-XSS-Protection"
--- a/src/common/core/headers/plugin.json
+++ b/src/common/core/headers/plugin.json
@ -17,7 +17,7 @@
    },
    "REMOVE_HEADERS": {
      "context": "multisite",
-      "default": "Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version",
+      "default": "Server Expect-CT X-Powered-By X-AspNet-Version X-AspNetMvc-Version",
      "help": "Headers to remove (Header1 Header2 Header3 ...)",
      "id": "remove-headers",
      "label": "Remove headers",
@ -108,6 +108,51 @@
      "regex": "^(?![; ])( ?([\\w-]+)(?!.*[^-]\\2 )( ('(none|self|strict-dynamic|report-sample|unsafe-inline|unsafe-eval|unsafe-hashes|unsafe-allow-redirects)'|https?://[\\w@:%.+~#=-]+[\\w()!@:%+.~#?&/=$-]*))+;)*$",
      "type": "text"
    },
+    "CROSS_ORIGIN_OPENER_POLICY": {
+      "context": "multisite",
+      "default": "same-origin",
+      "help": "Value for the Cross-Origin-Opener-Policy header.",
+      "id": "cross-origin-opener-policy",
+      "label": "Cross-Origin-Opener-Policy",
+      "regex": "^(unsafe-none|same-origin-allow-popups|same-origin)?$",
+      "type": "select",
+      "select": [
+        "",
+        "unsafe-none",
+        "same-origin-allow-popups",
+        "same-origin"
+      ]
+    },
+    "CROSS_ORIGIN_EMBEDDER_POLICY": {
+      "context": "multisite",
+      "default": "require-corp",
+      "help": "Value for the Cross-Origin-Embedder-Policy header.",
+      "id": "cross-origin-embedder-policy",
+      "label": "Cross-Origin-Embedder-Policy",
+      "regex": "^(unsafe-none|require-corp|credentialless)?$",
+      "type": "select",
+      "select": [
+        "",
+        "unsafe-none",
+        "require-corp",
+        "credentialless"
+      ]
+    },
+    "CROSS_ORIGIN_RESOURCE_POLICY": {
+      "context": "multisite",
+      "default": "same-site",
+      "help": "Value for the Cross-Origin-Resource-Policy header.",
+      "id": "cross-origin-resource-policy",
+      "label": "Cross-Origin-Resource-Policy",
+      "regex": "^(same-site|same-origin|cross-origin)?$",
+      "type": "select",
+      "select": [
+        "",
+        "same-site",
+        "same-origin",
+        "cross-origin"
+      ]
+    },
    "X_FRAME_OPTIONS": {
      "context": "multisite",
      "default": "SAMEORIGIN",