summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorbankc <bankc@google.com>2020-08-26 12:09:19 -0400
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2021-03-30 19:59:24 +0200
commitdb5b75f10fe211af9fab9094f937436760db8488 (patch)
tree8a1ba3eb35bc2e16b68b2bbb195881774a8abbc2 /docs/ref
parentf6018c1e63a04e0c12e2ca759e76e05ccf5e09de (diff)
Fixed #31840 -- Added support for Cross-Origin Opener Policy header.
Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com>
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/checks.txt7
-rw-r--r--docs/ref/middleware.txt38
-rw-r--r--docs/ref/settings.txt15
3 files changed, 58 insertions, 2 deletions
diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt
index 0dbd15b5c9..a9f51b3ce9 100644
--- a/docs/ref/checks.txt
+++ b/docs/ref/checks.txt
@@ -417,8 +417,9 @@ The following checks are run if you use the :option:`check --deploy` option:
:class:`django.middleware.security.SecurityMiddleware` in your
:setting:`MIDDLEWARE` so the :setting:`SECURE_HSTS_SECONDS`,
:setting:`SECURE_CONTENT_TYPE_NOSNIFF`, :setting:`SECURE_BROWSER_XSS_FILTER`,
- :setting:`SECURE_REFERRER_POLICY`, and :setting:`SECURE_SSL_REDIRECT`
- settings will have no effect.
+ :setting:`SECURE_REFERRER_POLICY`,
+ :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY`, and
+ :setting:`SECURE_SSL_REDIRECT` settings will have no effect.
* **security.W002**: You do not have
:class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your
:setting:`MIDDLEWARE`, so your pages will not be served with an
@@ -510,6 +511,8 @@ The following checks are run if you use the :option:`check --deploy` option:
should consider enabling this header to protect user privacy.
* **security.E023**: You have set the :setting:`SECURE_REFERRER_POLICY` setting
to an invalid value.
+* **security.E024**: You have set the
+ :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY` setting to an invalid value.
The following checks verify that your security-related settings are correctly
configured:
diff --git a/docs/ref/middleware.txt b/docs/ref/middleware.txt
index 0078c716c0..82888ba3da 100644
--- a/docs/ref/middleware.txt
+++ b/docs/ref/middleware.txt
@@ -198,6 +198,7 @@ enabled or disabled with a setting.
* :setting:`SECURE_BROWSER_XSS_FILTER`
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF`
+* :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY`
* :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS`
* :setting:`SECURE_HSTS_PRELOAD`
* :setting:`SECURE_HSTS_SECONDS`
@@ -354,6 +355,43 @@ this setting are:
__ https://w3c.github.io/webappsec-referrer-policy/#unknown-policy-values
+.. _cross-origin-opener-policy:
+
+Cross-Origin Opener Policy
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. versionadded:: 4.0
+
+Some browsers have the ability to isolate top-level windows from other
+documents by putting them in a separate browsing context group based on the
+value of the `Cross-Origin Opener Policy`__ (COOP) header. If a document that
+is isolated in this way opens a cross-origin popup window, the popup’s
+``window.opener`` property will be ``null``. Isolating windows using COOP is a
+defense-in-depth protection against cross-origin attacks, especially those like
+Spectre which allowed exfiltration of data loaded into a shared browsing
+context.
+
+__ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
+
+``SecurityMiddleware`` can set the ``Cross-Origin-Opener-Policy`` header for
+you, based on the :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY` setting. The
+valid values for this setting are:
+
+``same-origin``
+ Isolates the browsing context exclusively to same-origin documents.
+ Cross-origin documents are not loaded in the same browsing context. This
+ is the default and most secure option.
+
+``same-origin-allow-popups``
+ Isolates the browsing context to same-origin documents or those which
+ either don't set COOP or which opt out of isolation by setting a COOP of
+ ``unsafe-none``.
+
+``unsafe-none``
+ Allows the document to be added to its opener's browsing context group
+ unless the opener itself has a COOP of ``same-origin`` or
+ ``same-origin-allow-popups``.
+
.. _x-content-type-options:
``X-Content-Type-Options: nosniff``
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 5c938f26f1..382ce5c08a 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -2262,6 +2262,20 @@ If ``True``, the :class:`~django.middleware.security.SecurityMiddleware`
sets the :ref:`x-content-type-options` header on all responses that do not
already have it.
+.. setting:: SECURE_CROSS_ORIGIN_OPENER_POLICY
+
+``SECURE_CROSS_ORIGIN_OPENER_POLICY``
+-------------------------------------
+
+.. versionadded:: 4.0
+
+Default: ``'same-origin'``
+
+Unless set to ``None``, the
+:class:`~django.middleware.security.SecurityMiddleware` sets the
+:ref:`cross-origin-opener-policy` header on all responses that do not already
+have it to the value provided.
+
.. setting:: SECURE_HSTS_INCLUDE_SUBDOMAINS
``SECURE_HSTS_INCLUDE_SUBDOMAINS``
@@ -3599,6 +3613,7 @@ HTTP
* :setting:`SECURE_BROWSER_XSS_FILTER`
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF`
+ * :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY`
* :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS`
* :setting:`SECURE_HSTS_PRELOAD`
* :setting:`SECURE_HSTS_SECONDS`