# Cloudflare Pages headers for Memeroot browser-OS releases
# Intentionally no strict CSP by default: the canvas executes signed XML feature code via new Function
# and uses inline script/XML blocks. A strict CSP would break the current architecture.

/*
  X-Content-Type-Options: nosniff
  Referrer-Policy: strict-origin-when-cross-origin
  Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=()

/*.html
  Cache-Control: public, max-age=300

/*.xml
  Content-Type: application/xml; charset=utf-8
  Cache-Control: public, max-age=300

/*.json
  Content-Type: application/json; charset=utf-8
  Cache-Control: public, max-age=300

/*.zip
  Content-Type: application/zip
  Cache-Control: public, max-age=31536000, immutable
