From f641e65c1f29e94307037819bad77e21fd066121 Mon Sep 17 00:00:00 2001 From: Catherine Renelle <32781029+catrenelle@users.noreply.github.com> Date: Mon, 9 Mar 2026 08:17:29 -0400 Subject: [PATCH] Add cross-origin isolation security headers - Cross-Origin-Embedder-Policy: credentialless (allows Google Fonts) - Cross-Origin-Opener-Policy: same-origin (isolates browsing context) - Cross-Origin-Resource-Policy: same-origin (prevents cross-origin loads) Co-Authored-By: Claude Opus 4.6 --- src/hooks.server.ts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/hooks.server.ts b/src/hooks.server.ts index 9611821..4f879bc 100644 --- a/src/hooks.server.ts +++ b/src/hooks.server.ts @@ -112,6 +112,9 @@ export const handle: Handle = async ({ event, resolve }) => { response.headers.set('Content-Security-Policy', "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: blob:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' ws: wss:; frame-ancestors 'none'"); } response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()'); + response.headers.set('Cross-Origin-Embedder-Policy', 'credentialless'); + response.headers.set('Cross-Origin-Opener-Policy', 'same-origin'); + response.headers.set('Cross-Origin-Resource-Policy', 'same-origin'); logger.info({ method: event.request.method,