upgrade insecure requests and add anonymous iframe

OWASP · Feb 3, 2025 · 88d2764 · 88d2764
1 parent a2c283c
commit 88d2764
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/cornucopia.owasp.org/data/website/pages/play/en/index.md b/cornucopia.owasp.org/data/website/pages/play/en/index.md
@@ -5,7 +5,7 @@ It is possible to play Cornucopia in many different ways. Here is one way explai
 <noscript>
     <p>You cannot view this video directly because JavaScript is disabled. Click <a href="https://www.youtube.com/watch?v=XXTPXozIHow" target="_blank" rel="noopener">here</a> to watch the video on YouTube.</p>
 </noscript>
-<iframe class="how-to-play" frameborder="0" title="Youtube: How to play OWASP Cornucopia" 
+<iframe credentialless anonymous class="how-to-play" frameborder="0" title="Youtube: How to play OWASP Cornucopia" 
 src="https://www.youtube.com/embed/XXTPXozIHow?si=uIi_VXDtSBkS027S" referrerpolicy="no-referrer" allowfullscreen>
 </iframe>
 

diff --git a/cornucopia.owasp.org/script/headers.js b/cornucopia.owasp.org/script/headers.js
@@ -27,12 +27,12 @@ function main() {
   Referrer-Policy: same-origin
   Permissions-Policy: accelerometer=(), autoplay=(), camera=(), document-domain=(), encrypted-media=(), fullscreen=(self "https://www.youtube.com/"), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), sync-xhr=(), usb=(), xr-spatial-tracking=(), geolocation=()
   Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
-  content-security-policy: base-uri 'self'; default-src 'none'; connect-src 'self'; script-src 'self' 'nonce-DhcnhD3khTMePgXw'; style-src 'self'; style-src-elem 'self'; img-src 'self'
+  content-security-policy: base-uri 'self'; default-src 'none'; connect-src 'self'; script-src 'self' 'nonce-DhcnhD3khTMePgXw'; style-src 'self'; style-src-elem 'self'; img-src 'self'; upgrade-insecure-requests
 
 /how-to-play
   Permissions-Policy: accelerometer=(), autoplay=(), camera=(), document-domain=(), encrypted-media=(), fullscreen=(self "https://www.youtube.com/"), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), sync-xhr=(), usb=(), xr-spatial-tracking=(), geolocation=()
   ! Content-Security-Policy
-  content-security-policy: base-uri 'self'; default-src 'none'; frame-src 'self' https://www.youtube.com/; connect-src 'self'; img-src 'self' https://i.ytimg.com/vi/XXTPXozIHow/mqdefault.jpg; script-src 'self' 'nonce-DhcnhD3khTMePgXw'; style-src 'self'; style-src-elem 'self'
+  content-security-policy: base-uri 'self'; default-src 'none'; frame-src 'self' https://www.youtube.com/; connect-src 'self'; img-src 'self' https://i.ytimg.com/vi/XXTPXozIHow/mqdefault.jpg; script-src 'self' 'nonce-DhcnhD3khTMePgXw'; style-src 'self'; style-src-elem 'self'; upgrade-insecure-requests
 `;
 
   const headersFile = path.join(buildDir, '_headers');