Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-6805

Add Cross-Origin Opener Policy and Cross-Origin Embedder Policy support

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 9.1.0
    • wicket-core
    • None

    Description

      We would like to add support in Wicket for Cross-Origin Opener Policy and Cross Origin Embedder Policy.

      COOP is a security mitigation that lets developers isolate their resources against side-channel attacks and information leaks. COEP  prevents a document from loading any non-same-origin resources which don't explicitly grant the document permission to be loaded. Using COEP and COOP together allows developers to safely use powerful features such as SharedArrayBuffer, performance.measureMemory(), and the JS Self-Profiling API. COOP and COEP are now supported by all major browsers.

      A COOP request cycle listener will be implemented to add COOP headers to HTTP responses, allowing developers to configure COOP to use unsafe-none, same-origin or same-origin-allow-popups. Finally, developers will be able to disable COOP entirely for a set of exempted paths that are intended to be used cross-site.

      A separate COEP request cycle listener will be implemented to add COEP headers to HTTP responses, similarly, this listener will allow developers to configure COEP to use the report-only or enforcing headers, to use COEP in reporting or enforcing mode. The COEP listener will also allow developers to disable COEP entirely for a set of exempted paths. 

      References:

      https://web.dev/why-coop-coep/

      https://web.dev/coop-coep/

      Attachments

        Activity

          People

            mgrigorov Martin Tzvetanov Grigorov
            saldiaz Santiago Diaz
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: