From 444ad1a9826cd074b7fb65ce6e80d02498993c83 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Fri, 18 Jun 2021 20:20:50 -0400
Subject: [PATCH] set up COEP and CORP headers

---
 nginx/nginx.conf                     | 3 +++
 nginx/snippets/security-headers.conf | 1 +
 2 files changed, 4 insertions(+)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index b30e91d..ed17698 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -89,6 +89,7 @@ http {
         root /var/empty;
 
         include snippets/security-headers.conf;
+        add_header Cross-Origin-Resource-Policy "same-origin" always;
         add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content";
         # obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
         add_header X-Frame-Options "DENY";
@@ -101,6 +102,7 @@ http {
             proxy_hide_header Content-Security-Policy;
             proxy_hide_header X-Frame-Options;
             include snippets/security-headers.conf;
+            add_header Cross-Origin-Resource-Policy "cross-origin" always;
             add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content";
             # obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
             add_header X-Frame-Options "DENY";
@@ -129,6 +131,7 @@ http {
         root /usr/share/webapps/element;
 
         include snippets/security-headers.conf;
+        add_header Cross-Origin-Resource-Policy "same-origin" always;
         add_header Content-Security-Policy "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; block-all-mixed-content";
         # obsolete and replaced with Content-Security-Policy frame-ancestors 'self'
         add_header X-Frame-Options "SAMEORIGIN";
diff --git a/nginx/snippets/security-headers.conf b/nginx/snippets/security-headers.conf
index c4755d2..ae19168 100644
--- a/nginx/snippets/security-headers.conf
+++ b/nginx/snippets/security-headers.conf
@@ -1,5 +1,6 @@
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 add_header Cross-Origin-Opener-Policy "same-origin" always;
+add_header Cross-Origin-Embedder-Policy "require-corp" always;
 add_header X-Content-Type-Options "nosniff" always;
 
 # obsolete when client system time is correct