set up COEP and CORP headers

nginx/nginx.conf

@@ -89,6 +89,7 @@ http {
         root /var/empty;
 
         include snippets/security-headers.conf;
+        add_header Cross-Origin-Resource-Policy "same-origin" always;
         add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content";
         # obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
         add_header X-Frame-Options "DENY";
@@ -101,6 +102,7 @@ http {
             proxy_hide_header Content-Security-Policy;
             proxy_hide_header X-Frame-Options;
             include snippets/security-headers.conf;
+            add_header Cross-Origin-Resource-Policy "cross-origin" always;
             add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content";
             # obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
             add_header X-Frame-Options "DENY";
@@ -129,6 +131,7 @@ http {
         root /usr/share/webapps/element;
 
         include snippets/security-headers.conf;
+        add_header Cross-Origin-Resource-Policy "same-origin" always;
         add_header Content-Security-Policy "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; block-all-mixed-content";
         # obsolete and replaced with Content-Security-Policy frame-ancestors 'self'
         add_header X-Frame-Options "SAMEORIGIN";

nginx/snippets/security-headers.conf

@@ -1,5 +1,6 @@
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 add_header Cross-Origin-Opener-Policy "same-origin" always;
+add_header Cross-Origin-Embedder-Policy "require-corp" always;
 add_header X-Content-Type-Options "nosniff" always;
 
 # obsolete when client system time is correct