Merge pull request #1263 from daniel-ac-martin/corp

restify: Add Cross-Origin-Resource-Policy header

.storybook/main.js

@@ -30,6 +30,7 @@ module.exports = {
     '../components/phase-banner/spec/*.stories.@(js|mdx)',
     '../components/radios/spec/*.stories.@(js|mdx)',
     '../components/search-box/spec/*.stories.@(js|mdx)',
+    '../components/service-navigation/spec/*.stories.@(js|mdx)',
     '../components/select/spec/*.stories.@(js|mdx)',
     '../components/skip-link/spec/*.stories.@(js|mdx)',
     '../components/standalone-input/spec/*.stories.@(js|mdx)',

.zap/rules.tsv

@@ -20,6 +20,7 @@
 # We don't control the headers on Netlify's CDN
 10021	OUTOFSCOPE	.*/public/.*
 10063	OUTOFSCOPE	.*/public/.*
+90004	OUTOFSCOPE	.*/public/.*
 # These are not timestamps
 10096	OUTOFSCOPE	.*/public/.*\.css
 # These are not SQL statements

lib/restify/src/index.ts

@@ -7,7 +7,7 @@ import { htmlByDefault } from './middleware/html-by-default';
 import { permissionsPolicy } from './middleware/permissions-policy';
 import { CSPSources, preventClickjacking } from './middleware/prevent-clickjacking';
 import { preventMimeSniffing } from './middleware/prevent-mime-sniffing';
-import { noCacheByDefault } from './middleware/no-cache-by-default';
+import { privateByDefault } from './middleware/private-by-default';
 import { IsReady, readiness } from './middleware/readiness';
 import { Logger, LoggerOptions as _LoggerOptions, logger } from './lib/logger';
 import { Server as _Server, installServeAPI } from './lib/serve-api';
@@ -91,7 +91,7 @@ export const createServer = (options: ServerOptions): Server => {
   httpd.pre(permissionsPolicy);
   httpd.pre(preventClickjacking({ formAction: options.formAction, frameAncestors: options.frameAncestors }));
   httpd.pre(preventMimeSniffing);
-  httpd.pre(noCacheByDefault);
+  httpd.pre(privateByDefault);
 
   httpd.pre(restify.plugins.acceptParser(httpd.acceptable.filter(v => acceptable.includes(v))));
   (options.bodyParser !== false) && httpd.pre(restify.plugins.bodyParser(Object.assign({ mapParams: false }, options.bodyParser)));

lib/restify/src/middleware/no-cache-by-default.ts → lib/restify/src/middleware/private-by-default.ts

@@ -1,12 +1,16 @@
 import type { Middleware, WriteHead } from "./common";
 
-export const noCacheByDefault: Middleware = (_req, res, next) => {
+export const privateByDefault: Middleware = (_req, res, next) => {
   const _writeHead = res.writeHead.bind(res);
   const writeHead: WriteHead = function (...args) {
     if (!this.getHeader('Cache-Control')) {
       this.cache('no-cache, no-store, must-revalidate, private');
       this.header('Pragma', 'no-cache');
       this.header('Expires', '0');
+
+      this.header('Cross-Origin-Embedder-Policy', 'require-corp');
+      this.header('Cross-Origin-Resource-Policy', 'same-origin');
+      this.header('Cross-Origin-Opener-Policy', 'same-origin');
     }
 
     return _writeHead(...args);
@@ -17,4 +21,4 @@ export const noCacheByDefault: Middleware = (_req, res, next) => {
   next();
 };
 
-export default noCacheByDefault;
+export default privateByDefault;