id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 31840 Add Support for Cross-Origin Opener Policy header meggles711 meggles711 "I would like to add support for the cross-origin Opener Policy header in Django. **What is Cross-Origin Opener Policy?** Cross-origin opener policy (COOP) is an HTTP header that protects against cross-origin attacks when set. This is a relatively new security feature that would add protection to Django Historically, CORS has been sufficient in protecting against these attacks by confirming that a server intends to share a resource with a given origin. Spectre, a vulnerability in modern processors, has made any data loaded into the same browsing context potentially vulnerable. COOP is used to tell browsers to open resources so that they are loaded within separate browsing contexts preventing information leaks. COOP isolates top level windows from other documents by loading them in a different browsing context. This means that all cross-origin requests can be vetted by the server that owns the resource. This header can be set to same-origin, same-origin-allow-popups, or unsafe-none. Documents marked same-origin can only be in the same browsing context as other documents from the same origin that are also marked same-origin. Documents marked as same-origin-allow-popups can maintain references to pop ups if they do not have the COOP header set or if they are marked as unsafe-none. Documents marked as unsafe-none can be added to the opener’s browsing context unless the opener is marked same-origin. With COOP, developers can finely control cross origin access to each document in their application. You can read more about COOP in the [https://html.spec.whatwg.org/multipage/origin.html#the-cross-origin-opener-policy-header spec]. **Proposed Changes to Django** Django users should have the ability to set the COOP header. This can be implemented in a similar way to the Referrer-Policy header in the security middleware. The header will be added to the response in the process_response function. The header should default to same-origin as this is the most secure setting." New feature closed HTTP handling dev Normal fixed COOP, security, headers Adam Johnson pope1ni Florian Apolloner Ready for checkin 1 0 0 0 0 0