From 06c19a9624e9c8d52699d4a0ee80dfbbc987eced Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Tue, 9 Jun 2026 10:00:02 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20Harden=20se?=
 =?UTF-8?q?curity=20headers=20in=20firebase.json?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit enhances the application's security posture by hardening HTTP headers in the Firebase hosting configuration.

Key improvements:
- Hardened Content Security Policy (CSP) with `object-src 'none'` and `base-uri 'self'` to prevent plugin-based injections and base tag hijacking.
- Added `X-XSS-Protection: 1; mode=block` for defense-in-depth on legacy browsers.
- Added `Cross-Origin-Opener-Policy: same-origin` to isolate the browsing context and mitigate cross-origin attacks.
---
 firebase.json | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/firebase.json b/firebase.json
index 4715c0a..a98405b 100644
--- a/firebase.json
+++ b/firebase.json
@@ -39,7 +39,15 @@
           },
           {
             "key": "Content-Security-Policy",
-            "value": "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://www.google-analytics.com https://*.google-analytics.com https://*.analytics.google.com; upgrade-insecure-requests;"
+            "value": "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://www.google-analytics.com https://*.google-analytics.com https://*.analytics.google.com; object-src 'none'; base-uri 'self'; upgrade-insecure-requests;"
+          },
+          {
+            "key": "X-XSS-Protection",
+            "value": "1; mode=block"
+          },
+          {
+            "key": "Cross-Origin-Opener-Policy",
+            "value": "same-origin"
           }
         ]
       }