Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross-Origin-Opener-Policy: same-origin breaks Hypothesis web annotation software #498

Closed
simonw opened this issue Oct 19, 2024 · 2 comments
Labels

Comments

@simonw
Copy link
Owner

simonw commented Oct 19, 2024

See:

@simonw simonw added the bug label Oct 19, 2024
@simonw
Copy link
Owner Author

simonw commented Oct 19, 2024

This is a Django default: https://docs.djangoproject.com/en/5.1/ref/middleware/#cross-origin-opener-policy

If a document that is isolated in this way opens a cross-origin popup window, the popup's window.opener property will be null. Isolating windows using COOP is a defense-in-depth protection against cross-origin attacks, especially those like Spectre which allowed exfiltration of data loaded into a shared browsing context.

I'm going to turn this off - if I was a fancy web app I'd worry about it, but for a mostly static blog I don't think it matters.

simonw added a commit that referenced this issue Oct 19, 2024
@simonw
Copy link
Owner Author

simonw commented Oct 19, 2024

Before:

curl -I 'https://simonwillison.net/2023/Aug/27/wordcamp-llms/'
HTTP/2 200 
date: Sat, 19 Oct 2024 05:19:30 GMT
content-type: text/html; charset=utf-8
report-to: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1729311460&sid=c46efe9b-d3d2-4a0c-8c76-bfafa16c5add&s=RS%2FetdVhwLDCX%2B%2BaZxvONGb3cNBMjY5hkeZRQcc8f6c%3D"}]}
reporting-endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1729311460&sid=c46efe9b-d3d2-4a0c-8c76-bfafa16c5add&s=RS%2FetdVhwLDCX%2B%2BaZxvONGb3cNBMjY5hkeZRQcc8f6c%3D
nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
django-composition: My Serenade
x-content-type-options: nosniff
referrer-policy: same-origin
cross-origin-opener-policy: same-origin
via: 1.1 vegur
cf-cache-status: HIT
age: 3709
last-modified: Sat, 19 Oct 2024 04:17:41 GMT
accept-ranges: bytes
server: cloudflare
cf-ray: 8d4e50449d9acea0-SJC
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=20229&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2906&recv_bytes=566&delivery_rate=139270&cwnd=139&unsent_bytes=0&cid=22a8498181108e9a&ts=44&x=0"

After:

HTTP/2 200 
date: Sat, 19 Oct 2024 05:20:02 GMT
content-type: text/html; charset=utf-8
report-to: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1729315202&sid=c46efe9b-d3d2-4a0c-8c76-bfafa16c5add&s=F%2FyEEPzcFRuarQlnU3a53NDkFR3wSOn65afWDPxxrvI%3D"}]}
reporting-endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1729315202&sid=c46efe9b-d3d2-4a0c-8c76-bfafa16c5add&s=F%2FyEEPzcFRuarQlnU3a53NDkFR3wSOn65afWDPxxrvI%3D
nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
django-composition: Deccaphonie
x-content-type-options: nosniff
referrer-policy: same-origin
via: 1.1 vegur
cf-cache-status: EXPIRED
last-modified: Sat, 19 Oct 2024 05:20:02 GMT
accept-ranges: bytes
server: cloudflare
cf-ray: 8d4e510d2adc169e-SJC
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=23729&sent=6&recv=12&lost=0&retrans=0&sent_bytes=2906&recv_bytes=597&delivery_rate=103925&cwnd=114&unsent_bytes=0&cid=4e5b1c44b509e76d&ts=332&x=0"

@simonw simonw closed this as completed Oct 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant