Platform Explorer / Nuxeo Platform 2021.25

Contribution org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService.defaultContrib--responseHeaders

This contribution is part of XML component org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService.defaultContrib inside nuxeo-platform-web-common-2021.25.8.jar /OSGI-INF/web-request-controller-contrib.xml

Extension Point

Extension point responseHeaders of component RequestControllerService.

Registration Order

0
The registration order represents the order in which this contribution was registered on its target extention point. This will impact the override/merge behaviour when it is implemented on the target service, and is useful for proper customization of existing contributions.
You can influence this order by adding "require" tags in the containing component declaration, to make sure it is resolved after another component (see "Resolution Order" on components).

Contributed Items

  • <header name="X-UA-Compatible">IE=10; IE=11</header>
  • <header name="Cache-Control">no-cache</header>
  • <header name="X-Content-Type-Options">nosniff</header>
  • <header name="X-XSS-Protection">1; mode=block</header>
  • <header name="X-Frame-Options">SAMEORIGIN</header>
  • <header name="Referrer-Policy">strict-origin-when-cross-origin</header>
  • <header name="Content-Security-Policy">img-src data: blob: *; default-src blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: *</header>

XML Source

<extension point="responseHeaders" target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService">
    <header name="X-UA-Compatible">IE=10; IE=11</header>
    <header name="Cache-Control">no-cache</header>
    <header name="X-Content-Type-Options">nosniff</header>
    <header name="X-XSS-Protection">1; mode=block</header>
    <header name="X-Frame-Options">SAMEORIGIN</header>
    <header name="Referrer-Policy">strict-origin-when-cross-origin</header>
    <!-- this is a permissive Content-Security-Policy, which should be overridden for more security -->
    <header name="Content-Security-Policy">img-src data: blob: *; default-src blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: *</header>
  </extension>