Implement COOP and COEP

hyperium · Dec 15, 2022 · 851ccb1 · 851ccb1
1 parent 34dc1cc
commit 851ccb1
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 0 deletions.
diff --git a/benches/src/header_map/basic.rs b/benches/src/header_map/basic.rs
@@ -547,6 +547,8 @@ const STD: &'static [HeaderName] = &[
     CONTENT_SECURITY_POLICY_REPORT_ONLY,
     CONTENT_TYPE,
     COOKIE,
+    CROSS_ORIGIN_EMBEDDER_POLICY,
+    CROSS_ORIGIN_OPENER_POLICY,
     DNT,
     DATE,
     ETAG,

diff --git a/src/header/mod.rs b/src/header/mod.rs
@@ -112,6 +112,8 @@ pub use self::name::{
     CONTENT_SECURITY_POLICY_REPORT_ONLY,
     CONTENT_TYPE,
     COOKIE,
+    CROSS_ORIGIN_EMBEDDER_POLICY,
+    CROSS_ORIGIN_OPENER_POLICY,
     DNT,
     DATE,
     ETAG,

diff --git a/src/header/name.rs b/src/header/name.rs
@@ -464,6 +464,30 @@ standard_headers! {
     /// the browser are set to block them, for example.
     (Cookie, COOKIE, b"cookie");
 
+    /// Allows a server to declare an embedder policy for a given document.
+    ///
+    /// The HTTP `Cross-Origin-Embedder-Policy` (COEP) response header prevents
+    /// a document from loading any cross-origin resources that don't
+    /// explicitly grant the document permission (using CORP or CORS).
+    (CrossOriginEmbedderPolicy, CROSS_ORIGIN_EMBEDDER_POLICY, b"cross-origin-embedder-policy");
+
+    /// Prevents other domains from opening/controlling a window.
+    ///
+    /// The HTTP `Cross-Origin-Opener-Policy` (COOP) response header allows you
+    /// to ensure a top-level document does not share a browsing context group
+    /// with cross-origin documents.
+    ///
+    /// COOP will process-isolate your document and potential attackers can't
+    /// access your global object if they were to open it in a popup,
+    /// preventing a set of cross-origin attacks dubbed XS-Leaks.
+    ///
+    /// If a cross-origin document with COOP is opened in a new window, the
+    /// opening document will not have a reference to it, and the
+    /// `window.opener` property of the new window will be `null`. This allows
+    /// you to have more control over references to a window than
+    /// `rel=noopener`, which only affects outgoing navigations.
+    (CrossOriginOpenerPolicy, CROSS_ORIGIN_OPENER_POLICY, b"cross-origin-opener-policy");
+
     /// Indicates the client's tracking preference.
     ///
     /// This header lets users indicate whether they would prefer privacy rather

diff --git a/tests/header_map.rs b/tests/header_map.rs
@@ -357,6 +357,8 @@ const STD: &'static [HeaderName] = &[
     CONTENT_SECURITY_POLICY_REPORT_ONLY,
     CONTENT_TYPE,
     COOKIE,
+    CROSS_ORIGIN_EMBEDDER_POLICY,
+    CROSS_ORIGIN_OPENER_POLICY,
     DNT,
     DATE,
     ETAG,

diff --git a/tests/header_map_fuzz.rs b/tests/header_map_fuzz.rs
@@ -293,6 +293,8 @@ fn gen_header_name(g: &mut StdRng) -> HeaderName {
         header::CONTENT_SECURITY_POLICY_REPORT_ONLY,
         header::CONTENT_TYPE,
         header::COOKIE,
+        header::CROSS_ORIGIN_EMBEDDER_POLICY,
+        header::CROSS_ORIGIN_OPENER_POLICY,
         header::DNT,
         header::DATE,
         header::ETAG,