diff options
| author | bankc <bankc@google.com> | 2020-08-26 12:09:19 -0400 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-03-30 19:59:24 +0200 |
| commit | db5b75f10fe211af9fab9094f937436760db8488 (patch) | |
| tree | 8a1ba3eb35bc2e16b68b2bbb195881774a8abbc2 /django | |
| parent | f6018c1e63a04e0c12e2ca759e76e05ccf5e09de (diff) | |
Fixed #31840 -- Added support for Cross-Origin Opener Policy header.
Thanks Adam Johnson and Tim Graham for the reviews.
Co-authored-by: Tim Graham <timograham@gmail.com>
Diffstat (limited to 'django')
| -rw-r--r-- | django/conf/global_settings.py | 1 | ||||
| -rw-r--r-- | django/core/checks/security/base.py | 27 | ||||
| -rw-r--r-- | django/middleware/security.py | 6 |
3 files changed, 32 insertions, 2 deletions
diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py index 8108f8f762..0827e85f69 100644 --- a/django/conf/global_settings.py +++ b/django/conf/global_settings.py @@ -636,6 +636,7 @@ SILENCED_SYSTEM_CHECKS = [] ####################### SECURE_BROWSER_XSS_FILTER = False SECURE_CONTENT_TYPE_NOSNIFF = True +SECURE_CROSS_ORIGIN_OPENER_POLICY = 'same-origin' SECURE_HSTS_INCLUDE_SUBDOMAINS = False SECURE_HSTS_PRELOAD = False SECURE_HSTS_SECONDS = 0 diff --git a/django/core/checks/security/base.py b/django/core/checks/security/base.py index 0de9532def..d95fab19b9 100644 --- a/django/core/checks/security/base.py +++ b/django/core/checks/security/base.py @@ -3,6 +3,9 @@ from django.core.exceptions import ImproperlyConfigured from .. import Error, Tags, Warning, register +CROSS_ORIGIN_OPENER_POLICY_VALUES = { + 'same-origin', 'same-origin-allow-popups', 'unsafe-none', +} REFERRER_POLICY_VALUES = { 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', @@ -17,8 +20,8 @@ W001 = Warning( "You do not have 'django.middleware.security.SecurityMiddleware' " "in your MIDDLEWARE so the SECURE_HSTS_SECONDS, " "SECURE_CONTENT_TYPE_NOSNIFF, SECURE_BROWSER_XSS_FILTER, " - "SECURE_REFERRER_POLICY, and SECURE_SSL_REDIRECT settings will have no " - "effect.", + "SECURE_REFERRER_POLICY, SECURE_CROSS_ORIGIN_OPENER_POLICY, " + "and SECURE_SSL_REDIRECT settings will have no effect.", id='security.W001', ) @@ -119,6 +122,15 @@ E023 = Error( id='security.E023', ) +E024 = Error( + 'You have set the SECURE_CROSS_ORIGIN_OPENER_POLICY setting to an invalid ' + 'value.', + hint='Valid values are: {}.'.format( + ', '.join(sorted(CROSS_ORIGIN_OPENER_POLICY_VALUES)), + ), + id='security.E024', +) + def _security_middleware(): return 'django.middleware.security.SecurityMiddleware' in settings.MIDDLEWARE @@ -232,3 +244,14 @@ def check_referrer_policy(app_configs, **kwargs): if not values <= REFERRER_POLICY_VALUES: return [E023] return [] + + +@register(Tags.security, deploy=True) +def check_cross_origin_opener_policy(app_configs, **kwargs): + if ( + _security_middleware() and + settings.SECURE_CROSS_ORIGIN_OPENER_POLICY is not None and + settings.SECURE_CROSS_ORIGIN_OPENER_POLICY not in CROSS_ORIGIN_OPENER_POLICY_VALUES + ): + return [E024] + return [] diff --git a/django/middleware/security.py b/django/middleware/security.py index f27c6804b9..b9c5da9db5 100644 --- a/django/middleware/security.py +++ b/django/middleware/security.py @@ -17,6 +17,7 @@ class SecurityMiddleware(MiddlewareMixin): self.redirect_host = settings.SECURE_SSL_HOST self.redirect_exempt = [re.compile(r) for r in settings.SECURE_REDIRECT_EXEMPT] self.referrer_policy = settings.SECURE_REFERRER_POLICY + self.cross_origin_opener_policy = settings.SECURE_CROSS_ORIGIN_OPENER_POLICY def process_request(self, request): path = request.path.lstrip("/") @@ -52,4 +53,9 @@ class SecurityMiddleware(MiddlewareMixin): if isinstance(self.referrer_policy, str) else self.referrer_policy )) + if self.cross_origin_opener_policy: + response.setdefault( + 'Cross-Origin-Opener-Policy', + self.cross_origin_opener_policy, + ) return response |
