secureHeaders is only needed for statically served files. We do not need this for api endpoints. It adds various headers to enforce browser security features.
()
| 589 | // secureHeaders is only needed for statically served files. We do not need this for api endpoints. |
| 590 | // It adds various headers to enforce browser security features. |
| 591 | func secureHeaders() *secure.Secure { |
| 592 | // Permissions-Policy can be used to disabled various browser features that we do not use. |
| 593 | // This can prevent an embedded iframe from accessing these features. |
| 594 | // If we support arbitrary iframes such as generic applications, we might need to add permissions |
| 595 | // based on the app here. |
| 596 | permissions := strings.Join([]string{ |
| 597 | // =() means it is disabled |
| 598 | "accelerometer=()", |
| 599 | "autoplay=()", |
| 600 | "battery=()", |
| 601 | "camera=()", |
| 602 | "document-domain=()", |
| 603 | "geolocation=()", |
| 604 | "gyroscope=()", |
| 605 | "magnetometer=()", |
| 606 | "microphone=(self)", |
| 607 | "midi=()", |
| 608 | "payment=()", |
| 609 | "usb=()", |
| 610 | "vr=()", |
| 611 | "screen-wake-lock=()", |
| 612 | "xr-spatial-tracking=()", |
| 613 | }, ", ") |
| 614 | |
| 615 | return secure.New(secure.Options{ |
| 616 | PermissionsPolicy: permissions, |
| 617 | |
| 618 | // Prevent the browser from sending Referrer header with requests |
| 619 | ReferrerPolicy: "no-referrer", |
| 620 | }) |
| 621 | } |
| 622 | |
| 623 | // findAndParseHTMLFiles recursively walks the file system passed finding all *.html files. |
| 624 | // The template returned has all html files parsed. |