summaryrefslogtreecommitdiff
path: root/django
diff options
context:
space:
mode:
authorbankc <bankc@google.com>2020-08-26 12:09:19 -0400
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2021-03-30 19:59:24 +0200
commitdb5b75f10fe211af9fab9094f937436760db8488 (patch)
tree8a1ba3eb35bc2e16b68b2bbb195881774a8abbc2 /django
parentf6018c1e63a04e0c12e2ca759e76e05ccf5e09de (diff)
Fixed #31840 -- Added support for Cross-Origin Opener Policy header.
Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com>
Diffstat (limited to 'django')
-rw-r--r--django/conf/global_settings.py1
-rw-r--r--django/core/checks/security/base.py27
-rw-r--r--django/middleware/security.py6
3 files changed, 32 insertions, 2 deletions
diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py
index 8108f8f762..0827e85f69 100644
--- a/django/conf/global_settings.py
+++ b/django/conf/global_settings.py
@@ -636,6 +636,7 @@ SILENCED_SYSTEM_CHECKS = []
#######################
SECURE_BROWSER_XSS_FILTER = False
SECURE_CONTENT_TYPE_NOSNIFF = True
+SECURE_CROSS_ORIGIN_OPENER_POLICY = 'same-origin'
SECURE_HSTS_INCLUDE_SUBDOMAINS = False
SECURE_HSTS_PRELOAD = False
SECURE_HSTS_SECONDS = 0
diff --git a/django/core/checks/security/base.py b/django/core/checks/security/base.py
index 0de9532def..d95fab19b9 100644
--- a/django/core/checks/security/base.py
+++ b/django/core/checks/security/base.py
@@ -3,6 +3,9 @@ from django.core.exceptions import ImproperlyConfigured
from .. import Error, Tags, Warning, register
+CROSS_ORIGIN_OPENER_POLICY_VALUES = {
+ 'same-origin', 'same-origin-allow-popups', 'unsafe-none',
+}
REFERRER_POLICY_VALUES = {
'no-referrer', 'no-referrer-when-downgrade', 'origin',
'origin-when-cross-origin', 'same-origin', 'strict-origin',
@@ -17,8 +20,8 @@ W001 = Warning(
"You do not have 'django.middleware.security.SecurityMiddleware' "
"in your MIDDLEWARE so the SECURE_HSTS_SECONDS, "
"SECURE_CONTENT_TYPE_NOSNIFF, SECURE_BROWSER_XSS_FILTER, "
- "SECURE_REFERRER_POLICY, and SECURE_SSL_REDIRECT settings will have no "
- "effect.",
+ "SECURE_REFERRER_POLICY, SECURE_CROSS_ORIGIN_OPENER_POLICY, "
+ "and SECURE_SSL_REDIRECT settings will have no effect.",
id='security.W001',
)
@@ -119,6 +122,15 @@ E023 = Error(
id='security.E023',
)
+E024 = Error(
+ 'You have set the SECURE_CROSS_ORIGIN_OPENER_POLICY setting to an invalid '
+ 'value.',
+ hint='Valid values are: {}.'.format(
+ ', '.join(sorted(CROSS_ORIGIN_OPENER_POLICY_VALUES)),
+ ),
+ id='security.E024',
+)
+
def _security_middleware():
return 'django.middleware.security.SecurityMiddleware' in settings.MIDDLEWARE
@@ -232,3 +244,14 @@ def check_referrer_policy(app_configs, **kwargs):
if not values <= REFERRER_POLICY_VALUES:
return [E023]
return []
+
+
+@register(Tags.security, deploy=True)
+def check_cross_origin_opener_policy(app_configs, **kwargs):
+ if (
+ _security_middleware() and
+ settings.SECURE_CROSS_ORIGIN_OPENER_POLICY is not None and
+ settings.SECURE_CROSS_ORIGIN_OPENER_POLICY not in CROSS_ORIGIN_OPENER_POLICY_VALUES
+ ):
+ return [E024]
+ return []
diff --git a/django/middleware/security.py b/django/middleware/security.py
index f27c6804b9..b9c5da9db5 100644
--- a/django/middleware/security.py
+++ b/django/middleware/security.py
@@ -17,6 +17,7 @@ class SecurityMiddleware(MiddlewareMixin):
self.redirect_host = settings.SECURE_SSL_HOST
self.redirect_exempt = [re.compile(r) for r in settings.SECURE_REDIRECT_EXEMPT]
self.referrer_policy = settings.SECURE_REFERRER_POLICY
+ self.cross_origin_opener_policy = settings.SECURE_CROSS_ORIGIN_OPENER_POLICY
def process_request(self, request):
path = request.path.lstrip("/")
@@ -52,4 +53,9 @@ class SecurityMiddleware(MiddlewareMixin):
if isinstance(self.referrer_policy, str) else self.referrer_policy
))
+ if self.cross_origin_opener_policy:
+ response.setdefault(
+ 'Cross-Origin-Opener-Policy',
+ self.cross_origin_opener_policy,
+ )
return response