id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31923	Add Support for Cross-Origin Embedder Policy and Cross-Origin Resource Policy Headers	meggles711	meggles711	"I would like to add support for the COEP header, as well as CORP which is required to support this header, in Django.
**
What is Cross-Origin Resource Policy?**
This header conveys to the browser that it should block no-cors requests to the given resource that are cross-origin or cross-site depending on the header’s value. This prevents information leaks and blocks the response before it enters an attacker’s process.

The CORP header can have one of three values. If set to “same-origin”, the browser will block any cross-origin no-cors requests. If set to “same-site”, the browser will block any cross-site no-cors requests. If set to “cross-origin”, no-cors requests are explicitly allowed to load this resource.

**What is Cross-Origin Embedder Policy?**
COEP, when used with the cross-origin opener policy header, is used to create a “cross-origin isolated state” for your site. This state prevents the modification of document.domain and makes cross-origin requests less dangerous. It also allows developers to use otherwise dangerous features like SharedBufferArray, performance.measureMemory, and the JS Self-Profiling API.

When set, COEP instructs the browser not to load cross-origin resources into the document unless they give explicit permission using CORS or CORP. Because of this, COEP can only be effectively used if developers also have the ability to set the CORP or CORS header. COEP can only be set to one value, “require-corp”.

**Proposed Changes to Django**
Django users should have the ability to set the COEP and CORP headers. Support for them should be added as a part of the security middleware. COEP should default to “require-corp” and CORP should default to “same-origin”.
"	New feature	assigned	HTTP handling	dev	Normal		COEP, header, CORP, security	Florian Apolloner Adam Johnson	Accepted	0	0	0	0	0	0