[Django] #31840: Adding Support for Cross-Origin Opener Policy
Django
-------------------------------------+-------------------------------------
Reporter: | Owner: nobody
meggles711 |
Type: New | Status: new
feature |
Component: HTTP | Version: master
handling | Keywords: COOP, security,
Severity: Normal | headers
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
I would like to add support for the cross-origin Opener Policy header in
Django.
**What is Cross-Origin Opener Policy?**
Cross-origin opener policy (COOP) is an HTTP header that protects against
cross-origin attacks when set. This is a relatively new security feature
that would add protection to Django
Historically, CORS has been sufficient in protecting against these attacks
by confirming that a server intends to share a resource with a given
origin. Spectre, a vulnerability in modern processors, has made any data
loaded into the same browsing context potentially vulnerable. COOP is used
to tell browsers to open resources so that they are loaded within separate
browsing contexts preventing information leaks.
COOP isolates top level windows from other documents by loading them in a
different browsing context. This means that all cross-origin requests can
be vetted by the server that owns the resource.
This header can be set to same-origin, same-origin-allow-popups, or
unsafe-none. Documents marked same-origin can only be in the same
browsing context as other documents from the same origin that are also
marked same-origin. Documents marked as same-origin-allow-popups can
maintain references to pop ups if they do not have the COOP header set or
if they are marked as unsafe-none. Documents marked as unsafe-none can be
added to the opener’s browsing context unless the opener is marked same-
origin.
With COOP, developers can finely control cross origin access to each
document in their application. You can read more about COOP in the
[https://html.spec.whatwg.org/multipage/origin.html#the-cross-origin-
opener-policy-header spec].
**Proposed Changes to Django**
Django users should have the ability to set the COOP header. This can be
implemented in a similar way to the Referrer-Policy header in the security
middleware. The header will be added to the response in the
process_response function. The header should default to same-origin as
this is the most secure setting.
--
Ticket URL: <https://code.djangoproject.com/ticket/31840>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
| meggles711
Type: New feature | Status: assigned
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: COOP, security, | Triage Stage:
headers | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* owner: nobody => meggles711
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/31840#comment:1>
Django
-------------------------------------+-------------------------------------
| meggles711
Type: New feature | Status: assigned
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
headers |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: Adam (Chainz) Johnson, Nick Pope (added)
* stage: Unreviewed => Accepted
Comment:
OK, thanks. I'll provisionally Accept this, but cc a couple of people
who've been involved before here, and also
[https://groups.google.com/d/topic/django-
developers/WJAbbwJKp30/discussion I've raised a question on the mailing
list], since I'm not sure about ''just keep adding settings'' as the best
approach here. (Maybe we adjust the "Accept" to something else...?)
#30746 is the same ballpark here for Permissions-Policy
--
Ticket URL: <https://code.djangoproject.com/ticket/31840#comment:2>
Django
-------------------------------------+-------------------------------------
| meggles711
Type: New feature | Status: assigned
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: COOP, security, | Triage Stage: Accepted
headers |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: Florian Apolloner (added)
Comment:
Noting also #31425 and #30729 are more or less the same as well. ("Add
support for a header...")
--
Ticket URL: <https://code.djangoproject.com/ticket/31840#comment:3>
Django
-------------------------------------+-------------------------------------
| meggles711
Type: New feature | Status: assigned
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: COOP, security, | Triage Stage: Accepted
headers |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by meggles711):
Okay, sounds good, I'll cc some other developers and have them review my
code before I make a pull request. I'll also check out the thread you
started on the mailing list.
I was considering pitching adding support for COOP and another header
called Cross-Origin Embedder Policy (COEP) in the same issue. However,
COEP relies on having a specific CORS or CORP header setting which Django
doesn't currently have support for right now either. Maybe I consider
tackling COEP and CORS/CORP now as well so that they don't have to be
raised as 2 additional issues that are just adding security headers?
--
Ticket URL: <https://code.djangoproject.com/ticket/31840#comment:4>
Django
-------------------------------------+-------------------------------------
| meggles711
Type: New feature | Status: assigned
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: COOP, security, | Triage Stage: Accepted
headers |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* has_patch: 0 => 1
Comment:
Hi Megan, I'm linking your patch and ticking Has Patch to increase
visibility for reviewers. In the meantime, would you be able to rebase?
[https://github.com/django/django/pull/13351 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/31840#comment:5>
Django
-------------------------------------+-------------------------------------
| meggles711
Type: New feature | Status: assigned
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: COOP, security, | Triage Stage: Accepted
headers |
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/31840#comment:7>
Django
-------------------------------------+-------------------------------------
Reporter: meggles711 | Owner:
| meggles711
Type: New feature | Status: assigned
Severity: Normal | Resolution:
Keywords: COOP, security, | Triage Stage: Accepted
headers |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* needs_better_patch: 1 => 0
Comment:
[https://github.com/django/django/pull/14189 Updated PR]
I addressed Adam's comment and made edits based on my own review.
--
Ticket URL: <https://code.djangoproject.com/ticket/31840#comment:8>
Django
-------------------------------------+-------------------------------------
Reporter: meggles711 | Owner:
| meggles711
Type: New feature | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
headers | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
Comment:
Reviewed by Adam Johnson and myself (I didn't author most of the patch).
--
Ticket URL: <https://code.djangoproject.com/ticket/31840#comment:9>
Django
-------------------------------------+-------------------------------------
Reporter: meggles711 | Owner:
| meggles711
Component: HTTP handling | Version: dev
Keywords: COOP, security, | Triage Stage: Ready for
headers | checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"db5b75f10fe211af9fab9094f937436760db8488" db5b75f1]:
{{{
#!CommitTicketReference repository=""
revision="db5b75f10fe211af9fab9094f937436760db8488"
Fixed #31840 -- Added support for Cross-Origin Opener Policy header.
Thanks Adam Johnson and Tim Graham for the reviews.
Co-authored-by: Tim Graham <timog...@gmail.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/31840#comment:10>
Django
-------------------------------------+-------------------------------------
Reporter: meggles711 | Owner:
| meggles711
Type: New feature | Status: closed
Component: HTTP handling | Version: dev
Severity: Normal | Resolution: fixed
Keywords: COOP, security, | Triage Stage: Ready for
headers | checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by djw):
There's a nasty bug in the current version of Safari where back-navigation
hangs when returning to a site which sets a `Cross-Origin-Opener-Policy`.
While not mentioned in the ticket below, we see a large volume of network
requests to our site while the UI is hanging.
https://bugs.webkit.org/show_bug.cgi?id=235475
This will presumably affect all Django 4.0 sites unless
`SECURE_CROSS_ORIGIN_OPENER_POLICY` has been set to None.
I've confirmed the bug is still present in Safari 15.3 (Mac and iOS) but
appears fixed in the current Safari Technology Preview (140).
--
Ticket URL: <https://code.djangoproject.com/ticket/31840#comment:11>