avoid breaking image hotlinking for now

nginx/nginx.conf

@@ -202,12 +202,19 @@ http {
             try_files $uri.html =404;
         }
 
+        location = /favicon.ico {
+            include snippets/security-headers.conf;
+            # avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
+            add_header Cross-Origin-Resource-Policy "cross-origin" always;
+            add_header Cache-Control "public, max-age=604800";
+        }
+
         # broken link (now fixed) on https://noagendaphone.com/ with UTF-8 replacement character
         location ~ "^/\xEF\xBF\xBC$" {
             return 301 /;
         }
 
-        location ~ "\.(ico|webmanifest)$" {
+        location ~ "\.webmanifest$" {
             include snippets/security-headers.conf;
             add_header Cross-Origin-Resource-Policy "same-origin" always;
             add_header Cache-Control "public, max-age=604800";
@@ -221,6 +228,8 @@ http {
 
         location ~ "\.svg$" {
             include snippets/security-headers.conf;
+            # avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
+            add_header Cross-Origin-Resource-Policy "cross-origin" always;
             add_header Cache-Control "public, max-age=31536000";
         }
 
@@ -234,6 +243,8 @@ http {
 
         location ~ "\.png$" {
             include snippets/security-headers.conf;
+            # avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
+            add_header Cross-Origin-Resource-Policy "cross-origin" always;
             add_header Cache-Control "public, max-age=31536000";
             gzip_static off;
             brotli_static off;