WordPress site was unable to load 3rd part fonts, chat widget from subdomain & google analytics due to CORS policy voilation

Discuss Advanced use case
,
1

So I was looking for answers to find right way to handle sameorigin error message due to yunohost default security config for nginx

So I did as follows:

nano /etc/nginx/conf.d/security.conf.inc

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;  # about 200000 sessions
ssl_session_tickets off;


# Ciphers with intermediate compatibility
# generated 2020-08-14, Mozilla Guideline v5.6, nginx 1.14.2, OpenSSL 1.1.1d, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.6
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

# Pre-defined FFDHE group (RFC 7919)
# From https://ssl-config.mozilla.org/ffdhe2048.txt
# https://security.stackexchange.com/a/149818
ssl_dhparam /usr/share/yunohost/ffdhe2048.pem;



# Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
# https://wiki.mozilla.org/Security/Guidelines/Web_Security
# https://observatory.mozilla.org/

more_set_headers "Content-Security-Policy : upgrade-insecure-requests";

more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "X-XSS-Protection : 1; mode=block";
more_set_headers "X-Download-Options : noopen";
more_set_headers "X-Permitted-Cross-Domain-Policies : none";
#more_set_headers "X-Frame-Options : ALLOWALL";
#more_set_headers "X-Frame-Options : SAMEORIGIN";
#more_set_headers "X-Frame-Options : ALLOW-FROM domain.com";

more_set_headers Content-Security-Policy "frame-ancestors domain.com helpdesk.domain.com facebook.com twitter.com instagram.com google.com;";

# Disable the disaster privacy thing that is FLoC

more_set_headers "Permissions-Policy : interest-cohort=()";


# Disable gzip to protect against BREACH
# Read https://trac.nginx.org/nginx/ticket/1720 (text/html cannot be disabled!)
gzip off;
2

Hello,
After upgrading YunoHost today, I lost the changes mentioned in my earlier post.
Is there any way to safely override policy related to Cross-origin resource sharing (CORS) standard mechanism without jeopardizing security.

Scenarios is as follows:

  1. ] I have wordpress site (xyz.abc.com), which use web fonts from google and some other vendor
  2. ] CDN for loading assets such as images, js (cdn.cloudfront.com)
  3. ] I am using self hosted version of Chatwoot (live chat) app in docker continer exposed on local port 3000
    3.1 ] then use its js code for adding chat widget onto wordpress site.
    3.2 ] chatwoot has its own subdomain and using yuno redirect to allow access to its own web UI at (chat.abc.com)
  4. ] Also using Google Tag manager (www.googletagmanager.com) for analytics

How to I accommodate above mentioned resources as CORS policy override so that it doesn’t get lost over the upgrades and also without lowering overall security.

Thank you