From d069da17c8c48777c29bc8c7855b13c8cd6e6aa0 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Wed, 14 Apr 2021 23:30:01 -0400 Subject: [PATCH] set CORP header for error responses too --- nginx/nginx.conf | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 0ea61b0a..26b3d5bb 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -88,7 +88,7 @@ http { root /var/empty; include snippets/security-headers.conf; - add_header Cross-Origin-Resource-Policy "same-origin"; + add_header Cross-Origin-Resource-Policy "same-origin" always; return 301 https://grapheneos.org$request_uri; } @@ -101,7 +101,7 @@ http { root /var/empty; include snippets/security-headers.conf; - add_header Cross-Origin-Resource-Policy "same-origin"; + add_header Cross-Origin-Resource-Policy "same-origin" always; return 302 https://github.com/GrapheneOS/Vanadium; } @@ -116,7 +116,7 @@ http { error_page 404 /404.html; include snippets/security-headers.conf; - add_header Cross-Origin-Resource-Policy "same-origin"; + add_header Cross-Origin-Resource-Policy "same-origin" always; gzip_static on; brotli_static on; @@ -213,14 +213,14 @@ http { location = /404 { internal; include snippets/security-headers.conf; - add_header Cross-Origin-Resource-Policy "same-origin"; + add_header Cross-Origin-Resource-Policy "same-origin" always; include snippets/preload.conf; } location = /404.html { internal; include snippets/security-headers.conf; - add_header Cross-Origin-Resource-Policy "same-origin"; + add_header Cross-Origin-Resource-Policy "same-origin" always; include snippets/preload.conf; } @@ -231,13 +231,13 @@ http { location ~ "\.(ico|webmanifest)$" { include snippets/security-headers.conf; - add_header Cross-Origin-Resource-Policy "same-origin"; + add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Cache-Control "public, max-age=604800"; } location ~ "\.(css|js|mjs)$" { include snippets/security-headers.conf; - add_header Cross-Origin-Resource-Policy "same-origin"; + add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Cache-Control "public, max-age=31536000, immutable"; } @@ -248,7 +248,7 @@ http { location ~ "\.woff2$" { include snippets/security-headers.conf; - add_header Cross-Origin-Resource-Policy "same-origin"; + add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Cache-Control "public, max-age=31536000, immutable"; gzip_static off; brotli_static off; @@ -274,7 +274,7 @@ http { include snippets/security-headers-base.conf; add_header Content-Security-Policy "default-src 'none'; child-src 'self'; connect-src 'self' https://releases.grapheneos.org/; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'" always; add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), xr-spatial-tracking=()" always; - add_header Cross-Origin-Resource-Policy "same-origin"; + add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Cache-Control "public, no-cache"; include snippets/preload.conf; try_files $uri.html =404; @@ -282,7 +282,7 @@ http { location / { include snippets/security-headers.conf; - add_header Cross-Origin-Resource-Policy "same-origin"; + add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Cache-Control "public, no-cache"; include snippets/preload.conf; try_files $uri $uri.html $uri/ =404;