DEV: Add hidden `cross_origin_opener_policy_header` site setting (#23346)
Why this change? As part of our ongoing efforts to security harden the Discourse application, we are adding the `cross_origin_opener_policy_header` site setting which allows the `Cross-Origin-Opener-Policy` response header to be set on requests that preloads the Discourse application. In more technical terms, only GET requests that are not json or xhr will have the response header set. The `cross_origin_opener_policy_header` site setting is hidden for now for testing purposes and will either be released as a public site setting or be remove if we decide to be opinionated and ship a default for the `Cross-Origin-Opener-Policy` response header.
This commit is contained in:
parent
ec9911a48c
commit
5d7d607b5f
|
@ -51,6 +51,7 @@ class ApplicationController < ActionController::Base
|
||||||
after_action :add_noindex_header,
|
after_action :add_noindex_header,
|
||||||
if: -> { is_feed_request? || !SiteSetting.allow_index_in_robots_txt }
|
if: -> { is_feed_request? || !SiteSetting.allow_index_in_robots_txt }
|
||||||
after_action :add_noindex_header_to_non_canonical, if: :spa_boot_request?
|
after_action :add_noindex_header_to_non_canonical, if: :spa_boot_request?
|
||||||
|
after_action :set_cross_origin_opener_policy_header, if: :spa_boot_request?
|
||||||
around_action :link_preload, if: -> { spa_boot_request? && GlobalSetting.preload_link_header }
|
around_action :link_preload, if: -> { spa_boot_request? && GlobalSetting.preload_link_header }
|
||||||
|
|
||||||
HONEYPOT_KEY ||= "HONEYPOT_KEY"
|
HONEYPOT_KEY ||= "HONEYPOT_KEY"
|
||||||
|
@ -985,6 +986,12 @@ class ApplicationController < ActionController::Base
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def set_cross_origin_opener_policy_header
|
||||||
|
if SiteSetting.cross_origin_opener_policy_header != "unsafe-none"
|
||||||
|
response.headers["Cross-Origin-Opener-Policy"] = SiteSetting.cross_origin_opener_policy_header
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
protected
|
protected
|
||||||
|
|
||||||
def honeypot_value
|
def honeypot_value
|
||||||
|
|
|
@ -1842,6 +1842,14 @@ security:
|
||||||
default: false
|
default: false
|
||||||
display_personal_messages_tag_counts:
|
display_personal_messages_tag_counts:
|
||||||
default: false
|
default: false
|
||||||
|
cross_origin_opener_policy_header:
|
||||||
|
default: "unsafe-none"
|
||||||
|
type: enum
|
||||||
|
choices:
|
||||||
|
- "unsafe-none"
|
||||||
|
- "same-origin"
|
||||||
|
- "same-origin-allow-popups"
|
||||||
|
hidden: true
|
||||||
|
|
||||||
onebox:
|
onebox:
|
||||||
post_onebox_maxlength:
|
post_onebox_maxlength:
|
||||||
|
@ -2680,7 +2688,6 @@ user_preferences:
|
||||||
default: false
|
default: false
|
||||||
default_hide_profile_and_presence:
|
default_hide_profile_and_presence:
|
||||||
default: false
|
default: false
|
||||||
|
|
||||||
default_other_new_topic_duration_minutes:
|
default_other_new_topic_duration_minutes:
|
||||||
enum: "NewTopicDurationSiteSetting"
|
enum: "NewTopicDurationSiteSetting"
|
||||||
default: 2880
|
default: 2880
|
||||||
|
|
|
@ -517,6 +517,37 @@ RSpec.describe ApplicationController do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe "setting `Cross-Origin-Opener-Policy` header" do
|
||||||
|
describe "when `cross_origin_opener_policy_header` site setting is set to `same-origin`" do
|
||||||
|
before { SiteSetting.cross_origin_opener_policy_header = "same-origin" }
|
||||||
|
|
||||||
|
it "sets `Cross-Origin-Opener-Policy` header to `same-origin`" do
|
||||||
|
get "/latest"
|
||||||
|
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
expect(response.headers["Cross-Origin-Opener-Policy"]).to eq("same-origin")
|
||||||
|
end
|
||||||
|
|
||||||
|
it "does not set the `Cross-Origin-Opener-Policy` header for a JSON request" do
|
||||||
|
get "/latest.json"
|
||||||
|
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
expect(response.headers["Cross-Origin-Opener-Policy"]).to eq(nil)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe "when `cross_origin_opener_policy_header` site setting is set to `unsafe-none`" do
|
||||||
|
it "does not set the `Cross-Origin-Opener-Policy` header" do
|
||||||
|
SiteSetting.cross_origin_opener_policy_header = "unsafe-none"
|
||||||
|
|
||||||
|
get "/latest"
|
||||||
|
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
expect(response.headers["Cross-Origin-Opener-Policy"]).to eq(nil)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe "splash_screen" do
|
describe "splash_screen" do
|
||||||
let(:admin) { Fabricate(:admin) }
|
let(:admin) { Fabricate(:admin) }
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue