Fixed #31840 - Added Support for Cross-Origin Opener Policy #13351
Conversation
560ce96
to
6ea081d
Compare
f501bd4
to
dafa8fa
Compare
There was a problem hiding this comment.
Nice work, amazing for a first time contribution. Thank you for making this PR - I love to see new security headers coming into Django. I was a bit concerned that browsers might not have standardized MDN lists the header as fully supported on Chrome, Edge, and Firefox.
The new default is backwards incompatible, but I think the use cases (cross-site pop-ups deliberately communicating) are fairly niche (I think?). For referrer-policy we added it in one version (3.0) then changed the default in the next (3.1.). We could do that here, but I think doing it all at once with a good release note should be enough, and isn't really that functionally different from changing the default in one version.
I've made a few comments below, mostly small picks. I'm sure the fellows will have more to say, they know more about what's going on than me.
I didn't check but there should be a ticket for COEP/CORP too, if you're feeling like a follow-up. I guess they should be added together since they're more interdependent.
Implemented support for cross-origin opener policy. Fixes #31840