We would like to add support in Struts for Cross-Origin Opener and Cross-Origin Embedder Policy.
COOP is a security mitigation that lets developers isolate their resources against side-channel attacks and information leaks. COOP is now supported by all major browsers.
A COOP interceptor will be implemented to add COOP headers to HTTP responses, allowing developers to configure COOP to use unsafe-none, same-site or same-origin. Finally, developers will be able to disable COOP entirely for a set of exempted paths that are intended to be used cross-site.
COEP is a security mitigation which lets developers ensure that all resources loaded by a given document have explicitly opted into being embedded. COEP is now supported by all major browsers.
A COEP interceptor will be implemented to add COEP headers to HTTP responses, configuring COEP to the only accepted value "require-corp". A built-in handler for COEP violation reports that will be used to collect and provide textual explanations of these reports. This will be achieved with the setting of the "report-to" header to a default endpoint or one specified by the developer.
Additionally, developers will be able to choose between two options: whether they want to both block resources and send report to the endpoint or only send a report without blocking the resources. Finally, developers will be able to disable COEP entirely.