From 39c0b5542215b3fc179f45218cd74a4848056eb4 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Thu, 15 Apr 2021 04:37:03 -0400
Subject: [PATCH] finish setting up CORP headers and document issues

---
 nginx/nginx.conf | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 0514bcbd..562a8502 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -250,8 +250,17 @@ http {
             brotli_static off;
         }
 
-        location ~ "\.(atom|json|pdf|txt|xml)$" {
+        location ~ "\.(atom|pdf)$" {
             include snippets/security-headers.conf;
+            # Chromium PDF range requests use wrong origin: https://bugs.chromium.org/p/chromium/issues/detail?id=1074261
+            # Thunderbird uses wrong origin for feeds: https://bugzilla.mozilla.org/show_bug.cgi?id=1698755
+            add_header Cross-Origin-Resource-Policy "cross-origin" always;
+            add_header Cache-Control "public, max-age=1800";
+        }
+
+        location ~ "\.(json|txt|xml)$" {
+            include snippets/security-headers.conf;
+            add_header Cross-Origin-Resource-Policy "same-origin" always;
             add_header Cache-Control "public, max-age=1800";
         }