MCPcopy Index your code
hub / github.com/coder/coder / secureHeaders

Function secureHeaders

site/site.go:591–621  ·  view source on GitHub ↗

secureHeaders is only needed for statically served files. We do not need this for api endpoints. It adds various headers to enforce browser security features.

()

Source from the content-addressed store, hash-verified

589// secureHeaders is only needed for statically served files. We do not need this for api endpoints.
590// It adds various headers to enforce browser security features.
591func secureHeaders() *secure.Secure {
592 // Permissions-Policy can be used to disabled various browser features that we do not use.
593 // This can prevent an embedded iframe from accessing these features.
594 // If we support arbitrary iframes such as generic applications, we might need to add permissions
595 // based on the app here.
596 permissions := strings.Join([]string{
597 // =() means it is disabled
598 "accelerometer=()",
599 "autoplay=()",
600 "battery=()",
601 "camera=()",
602 "document-domain=()",
603 "geolocation=()",
604 "gyroscope=()",
605 "magnetometer=()",
606 "microphone=(self)",
607 "midi=()",
608 "payment=()",
609 "usb=()",
610 "vr=()",
611 "screen-wake-lock=()",
612 "xr-spatial-tracking=()",
613 }, ", ")
614
615 return secure.New(secure.Options{
616 PermissionsPolicy: permissions,
617
618 // Prevent the browser from sending Referrer header with requests
619 ReferrerPolicy: "no-referrer",
620 })
621}
622
623// findAndParseHTMLFiles recursively walks the file system passed finding all *.html files.
624// The template returned has all html files parsed.

Callers 1

NewFunction · 0.85

Calls 1

NewMethod · 0.65

Tested by

no test coverage detected