align nodejs http headers with example nginx

docs/example.nginx.conf

@@ -57,6 +57,14 @@ server {
     add_header Access-Control-Allow-Origin "*";
     # add_header X-Frame-Options "SAMEORIGIN";
 
+    set $coop '';
+    if ($uri ~ ^\/sheet\/.*$) { set $coop 'same-origin'; }
+
+    # Enable SharedArrayBuffer in Firefox (for .xlsx export)
+    add_header Cross-Origin-Resource-Policy cross-origin;
+    add_header Cross-Origin-Opener-Policy $coop;
+    add_header Cross-Origin-Embedder-Policy require-corp;
+
     # Insert the path to your CryptPad repository root here
     root /home/cryptpad/cryptpad;
     index index.html;
@@ -108,14 +116,6 @@ server {
     if ($uri = "/sheet/inner.html") { set $unsafe 1; }
     if ($uri ~ ^\/common\/onlyoffice\/.*\/index\.html.*$) { set $unsafe 1; }
 
-    set $coop '';
-    if ($uri ~ ^\/sheet\/.*$) { set $coop 'same-origin'; }
-
-    # Enable SharedArrayBuffer in Firefox (for .xlsx export)
-    add_header Cross-Origin-Resource-Policy cross-origin;
-    add_header Cross-Origin-Opener-Policy $coop;
-    add_header Cross-Origin-Embedder-Policy require-corp;
-
     # everything except the sandbox domain is a privileged scope, as they might be used to handle keys
     if ($host != $sandbox_domain) { set $unsafe 0; }
 

lib/defaults.js

@@ -48,9 +48,6 @@ Default.httpHeaders = function () {
         "X-XSS-Protection": "1; mode=block",
         "X-Content-Type-Options": "nosniff",
         "Access-Control-Allow-Origin": "*",
-        "Cross-Origin-Resource-Policy": 'cross-origin',
-        "Cross-Origin-Opener-Policy": 'same-origin',
-        "Cross-Origin-Embedder-Policy": 'require-corp',
     };
 };
 

server.js

@@ -60,6 +60,10 @@ var app = Express();
     }
 }());
 
+var applyHeaderMap = function (res, map) {
+    for (let header in map) { res.setHeader(header, map[header]); }
+};
+
 var setHeaders = (function () {
     // load the default http headers unless the admin has provided their own via the config file
     var headers;
@@ -96,14 +100,21 @@ var setHeaders = (function () {
     }
     if (Object.keys(headers).length) {
         return function (req, res) {
+            // apply a bunch of cross-origin headers for XLSX export in FF and printing elsewhere
+            applyHeaderMap(res, {
+                "Cross-Origin-Resource-Policy": 'cross-origin',
+                "Cross-Origin-Opener-Policy": /^\/sheet\//.test(req.url)? 'same-origin': '',
+                "Cross-Origin-Embedder-Policy": 'require-corp',
+            });
+
+            // targeted CSP, generic policies, maybe custom headers
             const h = [
-                    ///^\/pad\/inner\.html.*/,
                     /^\/common\/onlyoffice\/.*\/index\.html.*/,
                     /^\/(sheet|ooslide|oodoc)\/inner\.html.*/,
                 ].some((regex) => {
                     return regex.test(req.url);
                 }) ? padHeaders : headers;
-            for (let header in h) { res.setHeader(header, h[header]); }
+            applyHeaderMap(res, h);
         };
     }
     return function () {};
@@ -139,6 +150,7 @@ app.use(function (req, res, next) {
 
     setHeaders(req, res);
     if (/[\?\&]ver=[^\/]+$/.test(req.url)) { res.setHeader("Cache-Control", "max-age=31536000"); }
+    else { res.setHeader("Cache-Control", "no-cache"); }
     next();
 });