diff --git a/.storybook/main.js b/.storybook/main.js index b1d6c67e1..a66167222 100644 --- a/.storybook/main.js +++ b/.storybook/main.js @@ -30,6 +30,7 @@ module.exports = { '../components/phase-banner/spec/*.stories.@(js|mdx)', '../components/radios/spec/*.stories.@(js|mdx)', '../components/search-box/spec/*.stories.@(js|mdx)', + '../components/service-navigation/spec/*.stories.@(js|mdx)', '../components/select/spec/*.stories.@(js|mdx)', '../components/skip-link/spec/*.stories.@(js|mdx)', '../components/standalone-input/spec/*.stories.@(js|mdx)', diff --git a/.zap/rules.tsv b/.zap/rules.tsv index f95e5f827..5a7c1b504 100644 --- a/.zap/rules.tsv +++ b/.zap/rules.tsv @@ -20,6 +20,7 @@ # We don't control the headers on Netlify's CDN 10021 OUTOFSCOPE .*/public/.* 10063 OUTOFSCOPE .*/public/.* +90004 OUTOFSCOPE .*/public/.* # These are not timestamps 10096 OUTOFSCOPE .*/public/.*\.css # These are not SQL statements diff --git a/lib/restify/src/index.ts b/lib/restify/src/index.ts index ef2560afd..e64df9ced 100644 --- a/lib/restify/src/index.ts +++ b/lib/restify/src/index.ts @@ -7,7 +7,7 @@ import { htmlByDefault } from './middleware/html-by-default'; import { permissionsPolicy } from './middleware/permissions-policy'; import { CSPSources, preventClickjacking } from './middleware/prevent-clickjacking'; import { preventMimeSniffing } from './middleware/prevent-mime-sniffing'; -import { noCacheByDefault } from './middleware/no-cache-by-default'; +import { privateByDefault } from './middleware/private-by-default'; import { IsReady, readiness } from './middleware/readiness'; import { Logger, LoggerOptions as _LoggerOptions, logger } from './lib/logger'; import { Server as _Server, installServeAPI } from './lib/serve-api'; @@ -91,7 +91,7 @@ export const createServer = (options: ServerOptions): Server => { httpd.pre(permissionsPolicy); httpd.pre(preventClickjacking({ formAction: options.formAction, frameAncestors: options.frameAncestors })); httpd.pre(preventMimeSniffing); - httpd.pre(noCacheByDefault); + httpd.pre(privateByDefault); httpd.pre(restify.plugins.acceptParser(httpd.acceptable.filter(v => acceptable.includes(v)))); (options.bodyParser !== false) && httpd.pre(restify.plugins.bodyParser(Object.assign({ mapParams: false }, options.bodyParser))); diff --git a/lib/restify/src/middleware/no-cache-by-default.ts b/lib/restify/src/middleware/private-by-default.ts similarity index 59% rename from lib/restify/src/middleware/no-cache-by-default.ts rename to lib/restify/src/middleware/private-by-default.ts index ab084d551..90c68efc8 100644 --- a/lib/restify/src/middleware/no-cache-by-default.ts +++ b/lib/restify/src/middleware/private-by-default.ts @@ -1,12 +1,16 @@ import type { Middleware, WriteHead } from "./common"; -export const noCacheByDefault: Middleware = (_req, res, next) => { +export const privateByDefault: Middleware = (_req, res, next) => { const _writeHead = res.writeHead.bind(res); const writeHead: WriteHead = function (...args) { if (!this.getHeader('Cache-Control')) { this.cache('no-cache, no-store, must-revalidate, private'); this.header('Pragma', 'no-cache'); this.header('Expires', '0'); + + this.header('Cross-Origin-Embedder-Policy', 'require-corp'); + this.header('Cross-Origin-Resource-Policy', 'same-origin'); + this.header('Cross-Origin-Opener-Policy', 'same-origin'); } return _writeHead(...args); @@ -17,4 +21,4 @@ export const noCacheByDefault: Middleware = (_req, res, next) => { next(); }; -export default noCacheByDefault; +export default privateByDefault;