What is the best way to deal with the new security headers?
- Cross-Origin-Embedder-Policy (COEP) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
- Cross-Origin-Opener-Policy (COOP) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
- Cross-Origin-Resource-Policy (CORP) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy
What I have:
more_set_headers "Content-Security-Policy: $ content_security_policy"; more_set_headers 'Cross-Origin-Embedder-Policy-Report-Only: require-corp; report-to="default"'; more_set_headers 'Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="default"'; more_set_headers 'Cross-Origin-Resource-Policy: cross-origin'; more_set_headers 'Expect-CT: max-age=86400,report-uri="https://ktkymjds.uriports.com/reports/enforce"'; more_set_headers 'NEL: {"report_to":"default","max_age":2592000,"include_subdomains":true,"failure_fraction":1.0}'; more_set_headers 'Permissions-Policy: camera=(self), fullscreen=(*), geolocation=(self), payment=()'; more_set_headers 'Report-To: {"group":"default","max_age":10886400,"endpoints":[{"url":"https://ktkymjds.uriports.com/reports"}],"include_subdomains":true}'; more_set_headers 'X-Content-Type-Options: nosniff'; # more_set_headers 'X-Frame-Options: SAMEORIGIN'; # ImmuniWeb meckert, wenn kommentiert; PaleMoon sperrt, wenn aktiviert! more_set_headers 'X-XSS-Protection: 1; mode=block';
- You can check with:
curl -IL https://www.geoportal.de/portal/main/
- I have added the fourth line – without success.
The problem is I get a shit load of these messages in app.uriports.com:
Should I just set COEP and COOP to unsafe-none
? Or how can I minimise these messages?
I found out that I can add crossorigin
to the HTML img
tag. But what is with all the other access methods?