Context Navigation

← Previous Ticket
Next Ticket →

#31840 closed New feature (fixed)

Add Support for Cross-Origin Opener Policy header

Reported by:	meggles711	Owned by:	meggles711
Component:	HTTP handling	Version:	dev
Severity:	Normal	Keywords:	COOP, security, headers
Cc:	Adam Johnson, pope1ni, Florian Apolloner	Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

I would like to add support for the cross-origin Opener Policy header in Django.

What is Cross-Origin Opener Policy?
Cross-origin opener policy (COOP) is an HTTP header that protects against cross-origin attacks when set. This is a relatively new security feature that would add protection to Django

Historically, CORS has been sufficient in protecting against these attacks by confirming that a server intends to share a resource with a given origin. Spectre, a vulnerability in modern processors, has made any data loaded into the same browsing context potentially vulnerable. COOP is used to tell browsers to open resources so that they are loaded within separate browsing contexts preventing information leaks.

COOP isolates top level windows from other documents by loading them in a different browsing context. This means that all cross-origin requests can be vetted by the server that owns the resource.

This header can be set to same-origin, same-origin-allow-popups, or unsafe-none. Documents marked same-origin can only be in the same browsing context as other documents from the same origin that are also marked same-origin. Documents marked as same-origin-allow-popups can maintain references to pop ups if they do not have the COOP header set or if they are marked as unsafe-none. Documents marked as unsafe-none can be added to the opener’s browsing context unless the opener is marked same-origin.

With COOP, developers can finely control cross origin access to each document in their application. You can read more about COOP in the spec.

Proposed Changes to Django

Django users should have the ability to set the COOP header. This can be implemented in a similar way to the Referrer-Policy header in the security middleware. The header will be added to the response in the process_response function. The header should default to same-origin as this is the most secure setting.

Change History (11)

comment:1 by meggles711, 4 years ago

Owner:	changed from nobody to meggles711
Status:	new → assigned

comment:2 by Carlton Gibson, 4 years ago

Cc:	Adam Johnson pope1ni added
Triage Stage:	Unreviewed → Accepted

OK, thanks. I'll provisionally Accept this, but cc a couple of people who've been involved before here, and also I've raised a question on the mailing list, since I'm not sure about just keep adding settings as the best approach here. (Maybe we adjust the "Accept" to something else...?)

#30746 is the same ballpark here for Permissions-Policy

comment:3 by Carlton Gibson, 4 years ago

Cc:	Florian Apolloner added

Noting also #31425 and #30729 are more or less the same as well. ("Add support for a header...")

comment:4 by meggles711, 4 years ago

Okay, sounds good, I'll cc some other developers and have them review my code before I make a pull request. I'll also check out the thread you started on the mailing list.

I was considering pitching adding support for COOP and another header called Cross-Origin Embedder Policy (COEP) in the same issue. However, COEP relies on having a specific CORS or CORP header setting which Django doesn't currently have support for right now either. Maybe I consider tackling COEP and CORS/CORP now as well so that they don't have to be raised as 2 additional issues that are just adding security headers?

comment:5 by Jacob Walls, 4 years ago

Has patch:	set

Hi Megan, I'm linking your patch and ticking Has Patch to increase visibility for reviewers. In the meantime, would you be able to rebase?

comment:6 by Adam Johnson, 4 years ago

Thanks Jacob. I've had a first review of the PR, I think it needs a few changes.

comment:7 by Mariusz Felisiak, 4 years ago

Patch needs improvement:	set

comment:8 by Tim Graham, 3 years ago

Patch needs improvement:	unset
Summary:	Adding Support for Cross-Origin Opener Policy → Add Support for Cross-Origin Opener Policy header

Updated PR

I addressed Adam's comment and made edits based on my own review.

comment:9 by Tim Graham, 3 years ago

Triage Stage:	Accepted → Ready for checkin

Reviewed by Adam Johnson and myself (I didn't author most of the patch).

comment:10 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

Resolution:	→ fixed
Status:	assigned → closed

In db5b75f1:

Fixed #31840 -- Added support for Cross-Origin Opener Policy header.

Thanks Adam Johnson and Tim Graham for the reviews.

Co-authored-by: Tim Graham <timograham@…>

comment:11 by djw, 2 years ago

There's a nasty bug in the current version of Safari where back-navigation hangs when returning to a site which sets a Cross-Origin-Opener-Policy. While not mentioned in the ticket below, we see a large volume of network requests to our site while the UI is hanging.

https://bugs.webkit.org/show_bug.cgi?id=235475

This will presumably affect all Django 4.0 sites unless SECURE_CROSS_ORIGIN_OPENER_POLICY has been set to None.

I've confirmed the bug is still present in Safari 15.3 (Mac and iOS) but appears fixed in the current Safari Technology Preview (140).

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues