Platform Explorer / Nuxeo Platform LTS 2017 9.10

Contribution org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService.defaultContrib--responseHeaders

This contribution is part of XML component org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService.defaultContrib inside nuxeo-platform-web-common-9.10.jar /OSGI-INF/web-request-controller-contrib.xml

Extension Point

Extension point responseHeaders of component RequestControllerService.

Contributed Items

  • <header name="X-UA-Compatible">IE=10; IE=11</header>
  • <header name="Cache-Control">no-cache, no-store, must-revalidate</header>
  • <header name="X-Content-Type-Options">nosniff</header>
  • <header name="X-XSS-Protection">1; mode=block</header>
  • <header name="X-Frame-Options">SAMEORIGIN</header>
  • <header name="Content-Security-Policy">img-src data: blob: *; default-src blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: *</header>

XML Source

<extension point="responseHeaders" target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService">
    <header name="X-UA-Compatible">IE=10; IE=11</header>
    <header name="Cache-Control">no-cache, no-store, must-revalidate</header>
    <header name="X-Content-Type-Options">nosniff</header>
    <header name="X-XSS-Protection">1; mode=block</header>
    <header name="X-Frame-Options">SAMEORIGIN</header>
    <!-- this is a permissive Content-Security-Policy, which should be overridden for more security -->
    <header name="Content-Security-Policy">img-src data: blob: *; default-src blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: *</header>
  </extension>