Hosting the Nomad for web browsers static web files
This topic only applies to Nomad for web browsers.
Nomad for web browsers runs as a Progressive Web Application in the browser, but the application's static files must be hosted somewhere and be served through SafeLinx. The application's files may be hosted on SafeLinx itself (generally the easiest solution) or on some other HTTP server which SafeLinx references. SafeLinx and Domino HTTP options are covered in the following child topics, but there are other HTTP options which may be used.
For downloading the application's static files for the SafeLinx endpoint, see System requirements.
Required headers
Regardless of where the application's static files are hosted, certain HTTP headers must be present in the flows of those files for Nomad for web browsers to function properly.
The HTTP headers vary per file as indicated below:
- /nomad/config/* and /nomad/license/*:
Cross-Origin-Opener-Policy same-origin Cross-Origin-Embedder-Policy require-corp X-Nomad-Resource true Cache-Control no-store - /nomad/index.html:
Cross-Origin-Opener-Policy same-origin Cross-Origin-Embedder-Policy require-corp X-Nomad-Resource true Content-Encoding gzip Cache-Control no-store - /nomad/sw-bundle.js:
Cross-Origin-Opener-Policy same-origin Cross-Origin-Embedder-Policy require-corp X-Nomad-Resource true Content-Encoding gzip Service-Worker-Allowed / - /nomad/ffswwa.html:
X-Nomad-Resource true Content-Encoding gzip Cache-Control no-store - All other /nomad files (/nomad/*):
Cross-Origin-Opener-Policy same-origin Cross-Origin-Embedder-Policy require-corp X-Nomad-Resource true Content-Encoding gzip
Optional headers
-
Strict-Transport-Security max-age=7776000; includeSubDomains -
X-Content-Type-Options nosniff -
Referrer-Policy strict-origin-when-cross-origin -
X-Frame-Options DENY Note: The Content-Security-Policy HTTP header generally makes this HTTP header obsolete. -
X-XSS-Protection 1; mode=block -
Permissions-Policy accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(self), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(self), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=(), web-share=() Note: For Permissions-Policy, the values important Nomad's execution are cross-origin-isolated (for shared memory to be allowed which is required for Nomad) and gelocation (for GPS functions to work which is optional for Nomad) - the others can be disabled. -
Content-Security-Policy default-src 'self'; script-src 'self' 'unsafe-eval'; script-src-elem 'self' 'unsafe-inline'; style-src 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self' data:; frame-src 'self' Note: If using an Identity Provider (IdP) with Security Assertion Markup Language (SAML) or Nomad Federated Login, the connect-src and frame-src directives are necessary and must contain the IdP URL(s). For example, if using the AWS SSO IdP, you need to add; connect-src 'self' https://*.amazonaws.com https://*.awsapps.com; frame-src 'self' https://*.amazonaws.com https://*.awsapps.comto the end. If the IdP pages have images, you should add those same URL(s) to the img-src directive; for example,img-src 'self' blob: data: https://*.amazonaws.com https://*.awsapps.com.Note: Remote images may be blocked as part of the connect-src directive. To avoid the blocking, the connect-src directive needs to be customized with additional sources.Note: If your browsers all support the wasm-unsafe-eval directive for script-src (Firefox 102 or higher; Chrome and Edge 97 or higher), replace the 'unsafe-eval' in script-src with the more restrictive 'wasm-unsafe-eval'.