[CMS-15095] [Backport v15] Change COOP header to "same-origin-allow-popups" - Issues

XML

Word

Printable

Details

Type: New Feature
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 15.1.0, 15.0.2
Component/s: None
Labels:
None

Story Points:
0.5
Processed by team:
Nova
Sprint:
Team Nova Sprint 288

Description

The upgrade to Wicket v9 introduced a security improvement that affects our OpenUI extension(s): by default, Wicket adds a response header "Cross-Origin-Opener-Policy" with value same-origin which adds a restriction on javascript executed in an iframe that prevents it from opening a new browser window (executing window.open()). After some discussion with PM and the #security-chapter, we've decided to use a more lenient value same-origin-allow-popups. This implies that all iframes in the Wicket DOM are allowed to open a new browser window, but since we have complete control over the domains that are allowed in an iframe, it should not introduce a security issue.

See https://bloomreach.slack.com/archives/C01T1G1FQAF/p1653382601763379

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Arthur Bogaart

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 02/Jun/22 10:38 AM

Updated:: 03/Jun/22 11:23 AM

Resolved:: 03/Jun/22 11:23 AM