github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-22 11:23:25 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FEATURE: Add hidden site setting to list 'unsafe-none' COOP referrers (#27510)

Browse Source 
Some tooling may rely on an unsafe-none cross origin opener policy to work. This change adds a hidden site setting that can be used to list referrers where we add this header instead of the default one configured in cross_origin_opener_policy_header.
This commit is contained in:
Ted Johansson 2024-06-19 11:11:35 +08:00 committed by GitHub
parent 489aac3fdd
commit 3ff7ce78e7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 41 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
app/controllers/application_controller.rb
View File

@ -1008,7 +1008,14 @@ class ApplicationController < ActionController::Base
end end
def set_cross_origin_opener_policy_header def set_cross_origin_opener_policy_header
response.headers["Cross-Origin-Opener-Policy"] = SiteSetting.cross_origin_opener_policy_header response.headers["Cross-Origin-Opener-Policy"] = if SiteSetting
.cross_origin_opener_unsafe_none_referrers
.split("|")
.include?(request.referrer&.split("://")&.last)
"unsafe-none"
else
SiteSetting.cross_origin_opener_policy_header
end
end end
protected protected

4
config/site_settings.yml
View File

@ -2052,6 +2052,10 @@ security:
- "same-origin" - "same-origin"
- "same-origin-allow-popups" - "same-origin-allow-popups"
hidden: true hidden: true
cross_origin_opener_unsafe_none_referrers:
default: ""
type: host_list
hidden: true
onebox: onebox:
post_onebox_maxlength: post_onebox_maxlength:

29
spec/requests/application_controller_spec.rb
View File

@ -547,6 +547,35 @@ RSpec.describe ApplicationController do
expect(response.headers["Cross-Origin-Opener-Policy"]).to eq("unsafe-none") expect(response.headers["Cross-Origin-Opener-Policy"]).to eq("unsafe-none")
end end
end end
describe "when `cross_origin_unsafe_none_referrers` site setting has been set" do
before do
SiteSetting.cross_origin_opener_policy_header = "same-origin"
SiteSetting.cross_origin_opener_unsafe_none_referrers =
"meta.discourse.org|try.discourse.org"
end
it "sets `Cross-Origin-Opener-Policy` to `unsafe-none` for a listed referrer" do
get "/latest", headers: { "HTTP_REFERER" => "meta.discourse.org" }
expect(response.status).to eq(200)
expect(response.headers["Cross-Origin-Opener-Policy"]).to eq("unsafe-none")
end
it "sets `Cross-Origin-Opener-Policy` to configured value for a non-listed referrer" do
get "/latest", headers: { "HTTP_REFERER" => "www.discourse.org" }
expect(response.status).to eq(200)
expect(response.headers["Cross-Origin-Opener-Policy"]).to eq("same-origin")
end
it "sets `Cross-Origin-Opener-Policy` to configured value when referrer is missing" do
get "/latest"
expect(response.status).to eq(200)
expect(response.headers["Cross-Origin-Opener-Policy"]).to eq("same-origin")
end
end
end end
describe "splash_screen" do describe "splash_screen" do