Add recommended HTTP headers and move them to an element. (CO-2720) (#…

…679) * Add recommended HTTP headers and move them to an element. (CO-2720) * Extend "Permissions-Policy" HTTP header (CO-2720) --------- Co-authored-by: Arlen Johnson <[email protected]>
Internet2 · Jan 22, 2025 · 9742a03 · 9742a03
1 parent 77ce36f
commit 9742a03
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 29 deletions.
diff --git a/app/View/Elements/httpHeaders.ctp b/app/View/Elements/httpHeaders.ctp
@@ -0,0 +1,42 @@
+<?php
+  /**
+   * COmanage Registry HTTP Headers
+   *
+   * Portions licensed to the University Corporation for Advanced Internet
+   * Development, Inc. ("UCAID") under one or more contributor license agreements.
+   * See the NOTICE file distributed with this work for additional information
+   * regarding copyright ownership.
+   *
+   * UCAID licenses this file to you under the Apache License, Version 2.0
+   * (the "License"); you may not use this file except in compliance with the
+   * License. You may obtain a copy of the License at:
+   *
+   * http://www.apache.org/licenses/LICENSE-2.0
+   *
+   * Unless required by applicable law or agreed to in writing, software
+   * distributed under the License is distributed on an "AS IS" BASIS,
+   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   * See the License for the specific language governing permissions and
+   * limitations under the License.
+   *
+   * @link          http://www.internet2.edu/comanage COmanage Project
+   * @package       registry
+   * @since         COmanage Registry v4.5.0
+   * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+   */
+
+// As a general rule, all Registry pages are post-login and so shouldn't be cached
+header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
+header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
+header("Pragma: no-cache");
+
+header("Content-Security-Policy: object-src 'none'; base-uri 'none'; frame-ancestors 'self'");
+header("X-Content-Type-Options: nosniff");
+header("Permissions-Policy: accelerometer=(),autoplay=(),camera=(),cross-origin-isolated=(),display-capture=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),keyboard-map=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=(),gamepad=(),hid=(),idle-detection=(),interest-cohort=(),serial=()");
+header("Cross-Origin-Opener-Policy: same-origin");
+header("X-Permitted-Cross-Domain-Policies: none");
+
+// Add X-UA-Compatible header for IE
+if (isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)) {
+  header('X-UA-Compatible: IE=edge,chrome=1');
+}
diff --git a/app/View/Layouts/default.ctp b/app/View/Layouts/default.ctp
@@ -25,16 +25,7 @@
  * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
  */
 
-  // As a general rule, all Registry pages are post-login and so shouldn't be cached
-  header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
-  header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
-  header("Pragma: no-cache");
-  header("Content-Security-Policy: frame-ancestors 'self'");
-
-  // Add X-UA-Compatible header for IE
-  if (isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)) {
-    header('X-UA-Compatible: IE=edge,chrome=1');
-  }
+  print $this->element('httpHeaders');
 ?>
 <!DOCTYPE html>
 <html lang="<?php print _txt('lang'); ?>">

diff --git a/app/View/Layouts/error.ctp b/app/View/Layouts/error.ctp
@@ -16,8 +16,8 @@
  * @license       MIT License (http://www.opensource.org/licenses/mit-license.php)
  */
 
-header("Content-Security-Policy: frame-ancestors 'self'");
-$cakeDescription = __d('cake_dev', 'CakePHP: the rapid development php framework');
+  print $this->element('httpHeaders');
+  $cakeDescription = __d('cake_dev', 'CakePHP: the rapid development php framework');
 ?>
 <!DOCTYPE html>
 <html>

diff --git a/app/View/Layouts/lightbox.ctp b/app/View/Layouts/lightbox.ctp
@@ -24,12 +24,8 @@
  * @since         COmanage Registry v1.0
  * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
  */
-
-  // As a general rule, all Registry pages are post-login and so shouldn't be cached
-  header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
-  header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
-  header("Pragma: no-cache");
-  header("Content-Security-Policy: frame-ancestors 'self'");
+
+  print $this->element('httpHeaders');
 ?>
 <!DOCTYPE html>
 <html>

diff --git a/app/View/Layouts/redirect.ctp b/app/View/Layouts/redirect.ctp
@@ -24,17 +24,8 @@
  * @since         COmanage Registry v1.0.3
  * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
  */
-
-  // As a general rule, all Registry pages are post-login and so shouldn't be cached
-  header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
-  header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
-  header("Pragma: no-cache");
-  header("Content-Security-Policy: frame-ancestors 'self'");
-
-  // Add X-UA-Compatible header for IE
-  if (isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)) {
-    header('X-UA-Compatible: IE=edge,chrome=1');
-  }
+
+  print $this->element('httpHeaders');
 ?>
 <!DOCTYPE html>
 <html lang="<?php print _txt('lang'); ?>">