Add Cross-Origin-*-Policy headers

Add new `Cross-Origin-*-Policy` HTTP response headers.
martincostello · Dec 31, 2024 · 087354e · 087354e
1 parent 27881a1
commit 087354e
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 0 deletions.
diff --git a/src/LondonTravel.Site/Middleware/CustomHttpHeadersMiddleware.cs b/src/LondonTravel.Site/Middleware/CustomHttpHeadersMiddleware.cs
@@ -59,6 +59,9 @@ public async Task Invoke(HttpContext context)
                 context.Response.Headers.Remove(HeaderNames.Server);
                 context.Response.Headers.Remove(HeaderNames.XPoweredBy);
 
+                context.Response.Headers.Append("Cross-Origin-Embedder-Policy", "unsafe-none");
+                context.Response.Headers.Append("Cross-Origin-Opener-Policy", "same-origin");
+                context.Response.Headers.Append("Cross-Origin-Resource-Policy", "same-origin");
                 context.Response.Headers.Append("Permissions-Policy", "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()");
                 context.Response.Headers.Append("Referrer-Policy", "no-referrer-when-downgrade");
                 context.Response.Headers.XContentTypeOptions = "nosniff";

diff --git a/src/LondonTravel.Site/assets/scripts/SwaggerUI.ts b/src/LondonTravel.Site/assets/scripts/SwaggerUI.ts
@@ -42,6 +42,9 @@ export class SwaggerUI {
                 responseInterceptor: (response: any): any => {
                     delete response.headers['content-security-policy'];
                     delete response.headers['content-security-policy-report-only'];
+                    delete response.headers['cross-origin-embedder-policy'];
+                    delete response.headers['cross-origin-opener-policy'];
+                    delete response.headers['cross-origin-resource-policy'];
                     delete response.headers['permissions-policy'];
                 },
             });

diff --git a/tests/LondonTravel.Site.Tests/EndToEnd/ResourceTests.cs b/tests/LondonTravel.Site.Tests/EndToEnd/ResourceTests.cs
@@ -66,6 +66,9 @@ public async Task Response_Headers_Contains_Expected_Headers()
         [
             "content-security-policy",
             "content-security-policy-report-only",
+            "Cross-Origin-Embedder-Policy",
+            "Cross-Origin-Opener-Policy",
+            "Cross-Origin-Resource-Policy",
             "NEL",
             "Permissions-Policy",
             "Referrer-Policy",

diff --git a/tests/LondonTravel.Site.Tests/Integration/ResourceTests.cs b/tests/LondonTravel.Site.Tests/Integration/ResourceTests.cs
@@ -124,6 +124,9 @@ public async Task Response_Headers_Contains_Expected_Headers()
         [
             "content-security-policy",
             "content-security-policy-report-only",
+            "Cross-Origin-Embedder-Policy",
+            "Cross-Origin-Opener-Policy",
+            "Cross-Origin-Resource-Policy",
             "NEL",
             "Permissions-Policy",
             "Referrer-Policy",