Details
-
New Feature
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
Description
We would like to add support in Wicket for Cross-Origin Opener Policy and Cross Origin Embedder Policy.
COOP is a security mitigation that lets developers isolate their resources against side-channel attacks and information leaks. COEP prevents a document from loading any non-same-origin resources which don't explicitly grant the document permission to be loaded. Using COEP and COOP together allows developers to safely use powerful features such as SharedArrayBuffer, performance.measureMemory(), and the JS Self-Profiling API. COOP and COEP are now supported by all major browsers.
A COOP request cycle listener will be implemented to add COOP headers to HTTP responses, allowing developers to configure COOP to use unsafe-none, same-origin or same-origin-allow-popups. Finally, developers will be able to disable COOP entirely for a set of exempted paths that are intended to be used cross-site.
A separate COEP request cycle listener will be implemented to add COEP headers to HTTP responses, similarly, this listener will allow developers to configure COEP to use the report-only or enforcing headers, to use COEP in reporting or enforcing mode. The COEP listener will also allow developers to disable COEP entirely for a set of exempted paths.
References: