From 03149c183c1a54b9e09cdda98c20c5fa159cebfa Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Tue, 25 Jun 2024 15:10:02 -0700
Subject: [PATCH] Split out cross origin security headers

---
 etc/nginx/conf.d/sites_uptime-kuma.conf       |  1 +
 etc/nginx/snippets/cross-origin-security.conf | 11 +++++++++++
 etc/nginx/snippets/security.conf              |  6 ------
 3 files changed, 12 insertions(+), 6 deletions(-)
 create mode 100644 etc/nginx/snippets/cross-origin-security.conf

diff --git a/etc/nginx/conf.d/sites_uptime-kuma.conf b/etc/nginx/conf.d/sites_uptime-kuma.conf
index 3b6801c..a708e21 100644
--- a/etc/nginx/conf.d/sites_uptime-kuma.conf
+++ b/etc/nginx/conf.d/sites_uptime-kuma.conf
@@ -16,6 +16,7 @@ server {
     include snippets/universal_paths.conf;
     include snippets/hsts.conf;
     include snippets/security.conf;
+    include snippets/cross-origin-security.conf;
     include snippets/quic.conf;
     include snippets/proxy.conf;
     proxy_hide_header Content-Security-Policy;
diff --git a/etc/nginx/snippets/cross-origin-security.conf b/etc/nginx/snippets/cross-origin-security.conf
new file mode 100644
index 0000000..e8f1b63
--- /dev/null
+++ b/etc/nginx/snippets/cross-origin-security.conf
@@ -0,0 +1,11 @@
+# CORP, COOP, and COEP headers
+# Meant to be used globally, but some apps may need a manual overwrite, so this is split out from security.conf
+
+proxy_hide_header Cross-Origin-Resource-Policy;
+add_header Cross-Origin-Resource-Policy cross-origin always;
+
+proxy_hide_header Cross-Origin-Opener-Policy;
+add_header Cross-Origin-Opener-Policy same-origin always;
+
+proxy_hide_header Cross-Origin-Opener-Policy;
+Cross-Origin-Embedder-Policy require-corp always;
\ No newline at end of file
diff --git a/etc/nginx/snippets/security.conf b/etc/nginx/snippets/security.conf
index bf25df8..477a169 100644
--- a/etc/nginx/snippets/security.conf
+++ b/etc/nginx/snippets/security.conf
@@ -13,12 +13,6 @@ add_header X-Content-Type-Options "nosniff" always;
 proxy_hide_header X-Frame-Options;
 add_header X-Frame-Options "SAMEORIGIN" always;
 
-proxy_hide_header Cross-Origin-Resource-Policy;
-add_header Cross-Origin-Resource-Policy cross-origin always;
-
-proxy_hide_header Cross-Origin-Opener-Policy;
-add_header Cross-Origin-Opener-Policy same-origin always;
-
 # Obsolete and replaced by Content-Security-Policy
 # Only here to pass Hardenize checks
 proxy_hide_header X-XSS-Protection;