feat: add ACP toggles for COEP and CORP headers

install/data/defaults.json

@@ -146,6 +146,8 @@
     "dailyDigestFreq": "off",
     "digestHour": 17,
     "passwordExpiryDays": 0,
+    "cross-origin-embedder-policy": 1,
+    "cross-origin-resource-policy": "same-origin",
     "hsts-maxage": 31536000,
     "hsts-subdomains": 0,
     "hsts-preload": 0,

public/language/en-GB/admin/settings/advanced.json

@@ -15,6 +15,9 @@
 	"headers.acac": "Access-Control-Allow-Credentials",
 	"headers.acam": "Access-Control-Allow-Methods",
 	"headers.acah": "Access-Control-Allow-Headers",
+	"headers.coep": "Cross-Origin-Embedder-Policy",
+	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
 	"hsts.maxAge": "HSTS Max Age",

src/views/admin/settings/advanced.tpl

@@ -66,6 +66,22 @@
 				<label for="access-control-allow-headers">[[admin/settings/advanced:headers.acah]]</label>
 				<input class="form-control" id="access-control-allow-headers" type="text" placeholder="" data-field="access-control-allow-headers" /><br />
 			</div>
+			<div class="checkbox">
+				<label class="mdl-switch mdl-js-switch mdl-js-ripple-effect">
+					<input class="mdl-switch__input" type="checkbox" data-field="cross-origin-embedder-policy" id="cross-origin-embedder-policy">
+					<span class="mdl-switch__label"><strong>[[admin/settings/advanced:headers.coep]]</strong></span>
+				</label>
+			</div>
+			<p class="help-block">[[admin/settings/advanced:headers.coep-help]]</p>
+			<div class="form-group">
+				<label for="cross-origin-resource-policy">[[admin/settings/advanced:headers.corp]]</label>
+				<select class="form-control" id="cross-origin-resource-policy" data-field="cross-origin-resource-policy">
+					<option value="same-site">same-site</option>
+					<option value="same-origin">same-origin</option>
+					<option value="cross-origin">cross-origin</option>
+				</select>
+				<br />
+			</div>
 		</form>
 	</div>
 </div>

src/webserver.js

@@ -184,16 +184,21 @@ function setupExpressApp(app) {
 }
 
 function setupHelmet(app) {
+	/**
+	 * The only reason why these middlewares are all explicitly spelled out is because
+	 * helmet.contentSecurityPolicy() is too restrictive and breaks plugins.
+	 *
+	 * It should be implemented in the future... 🔜
+	 */
+	if (meta.config['cross-origin-embedder-policy']) {
+		app.use(helmet.crossOriginEmbedderPolicy());
+	}
+	app.use(helmet.crossOriginOpenerPolicy());
+	app.use(helmet.crossOriginResourcePolicy({ policy: meta.config['cross-origin-resource-policy'] }));
 	app.use(helmet.dnsPrefetchControl());
 	app.use(helmet.expectCt());
 	app.use(helmet.frameguard());
 	app.use(helmet.hidePoweredBy());
-	app.use(helmet.ieNoOpen());
-	app.use(helmet.noSniff());
-	app.use(helmet.permittedCrossDomainPolicies());
-	app.use(helmet.xssFilter());
-
-	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
 	if (meta.config['hsts-enabled']) {
 		app.use(helmet.hsts({
 			maxAge: meta.config['hsts-maxage'],
@@ -201,6 +206,12 @@ function setupHelmet(app) {
 			preload: !!meta.config['hsts-preload'],
 		}));
 	}
+	app.use(helmet.ieNoOpen());
+	app.use(helmet.noSniff());
+	app.use(helmet.originAgentCluster());
+	app.use(helmet.permittedCrossDomainPolicies());
+	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
+	app.use(helmet.xssFilter());
 }