diff options
| author | bankc <bankc@google.com> | 2020-08-26 12:09:19 -0400 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-03-30 19:59:24 +0200 |
| commit | db5b75f10fe211af9fab9094f937436760db8488 (patch) | |
| tree | 8a1ba3eb35bc2e16b68b2bbb195881774a8abbc2 /docs/ref | |
| parent | f6018c1e63a04e0c12e2ca759e76e05ccf5e09de (diff) | |
Fixed #31840 -- Added support for Cross-Origin Opener Policy header.
Thanks Adam Johnson and Tim Graham for the reviews.
Co-authored-by: Tim Graham <timograham@gmail.com>
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/checks.txt | 7 | ||||
| -rw-r--r-- | docs/ref/middleware.txt | 38 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 15 |
3 files changed, 58 insertions, 2 deletions
diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt index 0dbd15b5c9..a9f51b3ce9 100644 --- a/docs/ref/checks.txt +++ b/docs/ref/checks.txt @@ -417,8 +417,9 @@ The following checks are run if you use the :option:`check --deploy` option: :class:`django.middleware.security.SecurityMiddleware` in your :setting:`MIDDLEWARE` so the :setting:`SECURE_HSTS_SECONDS`, :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, :setting:`SECURE_BROWSER_XSS_FILTER`, - :setting:`SECURE_REFERRER_POLICY`, and :setting:`SECURE_SSL_REDIRECT` - settings will have no effect. + :setting:`SECURE_REFERRER_POLICY`, + :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY`, and + :setting:`SECURE_SSL_REDIRECT` settings will have no effect. * **security.W002**: You do not have :class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your :setting:`MIDDLEWARE`, so your pages will not be served with an @@ -510,6 +511,8 @@ The following checks are run if you use the :option:`check --deploy` option: should consider enabling this header to protect user privacy. * **security.E023**: You have set the :setting:`SECURE_REFERRER_POLICY` setting to an invalid value. +* **security.E024**: You have set the + :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY` setting to an invalid value. The following checks verify that your security-related settings are correctly configured: diff --git a/docs/ref/middleware.txt b/docs/ref/middleware.txt index 0078c716c0..82888ba3da 100644 --- a/docs/ref/middleware.txt +++ b/docs/ref/middleware.txt @@ -198,6 +198,7 @@ enabled or disabled with a setting. * :setting:`SECURE_BROWSER_XSS_FILTER` * :setting:`SECURE_CONTENT_TYPE_NOSNIFF` +* :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY` * :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS` * :setting:`SECURE_HSTS_PRELOAD` * :setting:`SECURE_HSTS_SECONDS` @@ -354,6 +355,43 @@ this setting are: __ https://w3c.github.io/webappsec-referrer-policy/#unknown-policy-values +.. _cross-origin-opener-policy: + +Cross-Origin Opener Policy +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. versionadded:: 4.0 + +Some browsers have the ability to isolate top-level windows from other +documents by putting them in a separate browsing context group based on the +value of the `Cross-Origin Opener Policy`__ (COOP) header. If a document that +is isolated in this way opens a cross-origin popup window, the popup’s +``window.opener`` property will be ``null``. Isolating windows using COOP is a +defense-in-depth protection against cross-origin attacks, especially those like +Spectre which allowed exfiltration of data loaded into a shared browsing +context. + +__ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy + +``SecurityMiddleware`` can set the ``Cross-Origin-Opener-Policy`` header for +you, based on the :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY` setting. The +valid values for this setting are: + +``same-origin`` + Isolates the browsing context exclusively to same-origin documents. + Cross-origin documents are not loaded in the same browsing context. This + is the default and most secure option. + +``same-origin-allow-popups`` + Isolates the browsing context to same-origin documents or those which + either don't set COOP or which opt out of isolation by setting a COOP of + ``unsafe-none``. + +``unsafe-none`` + Allows the document to be added to its opener's browsing context group + unless the opener itself has a COOP of ``same-origin`` or + ``same-origin-allow-popups``. + .. _x-content-type-options: ``X-Content-Type-Options: nosniff`` diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 5c938f26f1..382ce5c08a 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -2262,6 +2262,20 @@ If ``True``, the :class:`~django.middleware.security.SecurityMiddleware` sets the :ref:`x-content-type-options` header on all responses that do not already have it. +.. setting:: SECURE_CROSS_ORIGIN_OPENER_POLICY + +``SECURE_CROSS_ORIGIN_OPENER_POLICY`` +------------------------------------- + +.. versionadded:: 4.0 + +Default: ``'same-origin'`` + +Unless set to ``None``, the +:class:`~django.middleware.security.SecurityMiddleware` sets the +:ref:`cross-origin-opener-policy` header on all responses that do not already +have it to the value provided. + .. setting:: SECURE_HSTS_INCLUDE_SUBDOMAINS ``SECURE_HSTS_INCLUDE_SUBDOMAINS`` @@ -3599,6 +3613,7 @@ HTTP * :setting:`SECURE_BROWSER_XSS_FILTER` * :setting:`SECURE_CONTENT_TYPE_NOSNIFF` + * :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY` * :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS` * :setting:`SECURE_HSTS_PRELOAD` * :setting:`SECURE_HSTS_SECONDS` |
