Security headers

[thekid]

Idea

Add a web.frontend.SecurityHeaders API to cover all of: X-Content-Type-Options ✅, Content-Security-Policy, X-Frame-Options, Referrer-Policy and Permissions-Policy, e.g. as follows:

new SecurityHeaders(
  csp: "default-src 'none'; ...",
  framing: 'DENY',  // or: ALLOW, SAMEORIGIN, ALLOW-FROM [URL]
  referrers: 'no-referrer-when-downgrade', // or: strict-origin, origin-when-cross-origin, etcetera 
  permissions: '...'
);

• Check how to add easy report-only modes for csp and permissions
• Check how a nonce-notation would work
• Make framing and referrers accessible via enums
• Check what could be sensible defaults?
• ...and if we can find defaults, add these to the frontend and then make them customizable via $frontend->security()->csp(...) instead of always having to add these manually

See https://securityheaders.com/?q=https%3A%2F%2Fdialog.sloppy.zone%2F

Inspired by

• Ensure CSP is effective against XSS attacks thekid/dialog#19 (comment)
• https://scotthelme.co.uk/hardening-your-http-response-headers/
• https://scotthelme.co.uk/a-new-security-header-referrer-policy/
• https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/

[thekid]

X-Content-Type-Options: nosniff was added in https://github.com/xp-forge/frontend/releases/tag/v2.1.0

[thekid]

Sensible defaults

• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY
• Referrer-Policy: strict-origin-when-cross-origin