Private
Public Access
1
0

Add cross-origin isolation security headers

- Cross-Origin-Embedder-Policy: credentialless (allows Google Fonts)
- Cross-Origin-Opener-Policy: same-origin (isolates browsing context)
- Cross-Origin-Resource-Policy: same-origin (prevents cross-origin loads)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Catherine Renelle
2026-03-09 08:17:29 -04:00
parent 2d4c3a57da
commit f641e65c1f
+3
View File
@@ -112,6 +112,9 @@ export const handle: Handle = async ({ event, resolve }) => {
response.headers.set('Content-Security-Policy', "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: blob:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' ws: wss:; frame-ancestors 'none'"); response.headers.set('Content-Security-Policy', "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: blob:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' ws: wss:; frame-ancestors 'none'");
} }
response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()'); response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()');
response.headers.set('Cross-Origin-Embedder-Policy', 'credentialless');
response.headers.set('Cross-Origin-Opener-Policy', 'same-origin');
response.headers.set('Cross-Origin-Resource-Policy', 'same-origin');
logger.info({ logger.info({
method: event.request.method, method: event.request.method,