fix: login page browser warnings and password manager support
- Make COOP header conditional on development mode to suppress HTTP warnings - Add autocomplete attributes to all email/password inputs for password manager compatibility - Add comprehensive tests for COOP conditional behavior - Update security documentation for COOP, HTTPS requirements, and autocomplete Fixes browser console warnings and improves UX by enabling password managers. All quality gates passed: 85.7% backend coverage, 86.46% frontend coverage, zero security issues, all pre-commit hooks passed. Changes: - Backend: backend/internal/api/middleware/security.go - Frontend: Login, Setup, Account, AcceptInvite, SMTPSettings pages - Tests: Added 4 new test cases (2 backend, 2 frontend) - Docs: Updated security.md, getting-started.md, README.md
This commit is contained in:
GitHub Actions
@@ -59,7 +59,11 @@ func SecurityHeaders(cfg SecurityHeadersConfig) gin.HandlerFunc {
|
||||
c.Header("Permissions-Policy", buildPermissionsPolicy())
|
||||
|
||||
// Cross-Origin-Opener-Policy: Isolate browsing context
|
||||
c.Header("Cross-Origin-Opener-Policy", "same-origin")
|
||||
// Skip in development mode to avoid browser warnings on HTTP
|
||||
// In production, Caddy always uses HTTPS, so safe to set unconditionally
|
||||
if !cfg.IsDevelopment {
|
||||
c.Header("Cross-Origin-Opener-Policy", "same-origin")
|
||||
}
|
||||
|
||||
// Cross-Origin-Resource-Policy: Prevent cross-origin reads
|
||||
c.Header("Cross-Origin-Resource-Policy", "same-origin")
|
||||
|
||||
Reference in New Issue
Block a user