finish setting up CORP headers and document issues

2021-04-15 04:37:03 -04:00 · 2021-04-15 04:37:03 -04:00 · 39c0b55422
commit 39c0b55422
parent 56d73685e3
1 changed files with 10 additions and 1 deletions
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@ -250,8 +250,17 @@ http {
            brotli_static off;
        }

-        location ~ "\.(atom|json|pdf|txt|xml)$" {
+        location ~ "\.(atom|pdf)$" {
            include snippets/security-headers.conf;
+            # Chromium PDF range requests use wrong origin: https://bugs.chromium.org/p/chromium/issues/detail?id=1074261
+            # Thunderbird uses wrong origin for feeds: https://bugzilla.mozilla.org/show_bug.cgi?id=1698755
+            add_header Cross-Origin-Resource-Policy "cross-origin" always;
+            add_header Cache-Control "public, max-age=1800";
+        }
+
+        location ~ "\.(json|txt|xml)$" {
+            include snippets/security-headers.conf;
+            add_header Cross-Origin-Resource-Policy "same-origin" always;
            add_header Cache-Control "public, max-age=1800";
        }