Hosting the Nomad for web browsers static web files

This topic only applies to Nomad for web browsers.

Nomad for web browsers runs as a Progressive Web Application in the browser, but the application's static files must be hosted somewhere and be served through SafeLinx. The application's files may be hosted on SafeLinx itself (generally the easiest solution) or on some other HTTP server which SafeLinx references. SafeLinx and Domino HTTP options are covered in the following child topics, but there are other HTTP options which may be used.

Required headers

Regardless of where the application's static files are hosted, certain HTTP headers must be present in the flows of those files for Nomad for web browsers to function properly.

The HTTP headers vary per file as indicated below:

  • /nomad/config/* and /nomad/license/*:
    Cross-Origin-Opener-Policy same-origin
    Cross-Origin-Embedder-Policy require-corp
    X-Nomad-Resource true
    Cache-Control no-store
  • /nomad/index.html:
    Cross-Origin-Opener-Policy same-origin
    Cross-Origin-Embedder-Policy require-corp
    X-Nomad-Resource true
    Content-Encoding gzip
    Cache-Control no-store
  • /nomad/sw-bundle.js:
    Cross-Origin-Opener-Policy same-origin
    Cross-Origin-Embedder-Policy require-corp
    X-Nomad-Resource true
    Content-Encoding gzip
    Service-Worker-Allowed /
  • /nomad/ffswwa.html:
    X-Nomad-Resource true
    Content-Encoding gzip
    Cache-Control no-store
  • All other /nomad files (/nomad/*):
    Cross-Origin-Opener-Policy same-origin
    Cross-Origin-Embedder-Policy require-corp
    X-Nomad-Resource true
    Content-Encoding gzip

Optional headers

The following headers are recommended for security purposes:
  • Strict-Transport-Security max-age=7776000; includeSubDomains
  • Referrer-Policy strict-origin-when-cross-origin
  • Note: The Content-Security-Policy HTTP header generally makes this HTTP header obsolete.
  • X-XSS-Protection 1; mode=block
  • Permissions-Policy accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(self), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(self), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=(), web-share=()
    Note: For Permissions-Policy, the values important Nomad's execution are cross-origin-isolated (for shared memory to be allowed which is required for Nomad) and gelocation (for GPS functions to work which is optional for Nomad) - the others can be disabled.
  • Content-Security-Policy default-src 'self'; script-src 'self' 'unsafe-eval'; script-src-elem 'self' 'unsafe-inline'; style-src 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self' data:
    Note: If using an Identity Provider (IdP) with Security Assertion Markup Language (SAML) or Nomad Federated Login, the connect-src and frame-src directives are necessary and must contain the IdP URL(s). For example, if using the AWS SSO IdP, you need to add ; connect-src 'self' https://*.amazonaws.com https://*.awsapps.com; frame-src 'self' https://*.amazonaws.com https://*.awsapps.com to the end. If the IdP pages have images, you should add those same URL(s) to the img-src directive; for example, img-src 'self' blob: data: https://*.amazonaws.com https://*.awsapps.com.
    Note: Remote images may be blocked as part of the connect-src directive. To avoid the blocking, the connect-src directive needs to be customized with additional sources.
    Note: If your browsers all support the wasm-unsafe-eval directive for script-src (Firefox 102 or higher; Chrome and Edge 97 or higher), replace the 'unsafe-eval' in script-src with the more restrictive 'wasm-unsafe-eval'.