[
https://issues.apache.org/jira/browse/WICKET-6805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17185806#comment-17185806
]
ASF subversion and git services commented on WICKET-6805:
---------------------------------------------------------
Commit 0f42d3314f1200a3b88f76e435910ef389af6b58 in wicket's branch
refs/heads/master from Ecenaz Ozmen
[ https://gitbox.apache.org/repos/asf?p=wicket.git;h=0f42d33 ]
[WICKET-6805] Add Cross-Origin Opener Policy and Cross-Origin Embedder Policy
support (#442)
* COOP and COEP Implementation (#5)
* Initial coop implementation
* Fixed typo +reformatting code
* Update wicket-core/src/main/java/org/apache/wicket/coop/CoopConfiguration.java
Co-authored-by: Sal <salcho...@gmail.com>
* Update wicket-core/src/main/java/org/apache/wicket/coop/CoopConfiguration.java
Co-authored-by: Sal <salcho...@gmail.com>
* Updates based on comments on the PR
* Initial COEP implementation that doesn't handle report-to and setting up a
reporting endpoint
* Added javadocs and reformatted code
* Fixed typo in javadoc
* Updated valid values for COOP, same-origin-allow-popups instead of same-site
* Made builder methods public so they can be called from init() in a sample
app, added default values for builder fields to avoid null pointer exceptions
* making exempted paths a HashSet for faster lookup
* Using Set instead of HashSet in the declaration of exemptedPaths +
reformatting code
* Reformatting code to match Wicket's style
* Indentation fix for CoepMode enum
* Added tests for each COOP value, inlined url argument for checkHeaders in
tests, formatted log statement to include path variable for exempted paths
Co-authored-by: Sal <salcho...@gmail.com>
* Fixed typo in COEP debug statement
* Refactoring configs into SecuritySettings for COOP and COEP
* Renamed the request cycle listeners and tests with longer names of coop and
coep, removed CoopConfiguration and CoepConfiguration files
* Renamed securityInit() method to coopCoepInit()
* Moved adding coop/coep listeners to validetInit in WebApplication
* WICKET-6805 Formatting, cleanup and minor improvements
Co-authored-by: Sal <salcho...@gmail.com>
Co-authored-by: Martin Tzvetanov Grigorov <mgrigo...@apache.org>
> Add Cross-Origin Opener Policy and Cross-Origin Embedder Policy support
> -----------------------------------------------------------------------
>
> Key: WICKET-6805
> URL: https://issues.apache.org/jira/browse/WICKET-6805
> Project: Wicket
> Issue Type: New Feature
> Components: wicket-core
> Reporter: Santiago Diaz
> Priority: Major
>
> We would like to add support in Wicket for Cross-Origin Opener Policy and
> Cross Origin Embedder Policy.
> COOP is a security mitigation that lets developers isolate their resources
> against side-channel attacks and information leaks. COEP prevents a document
> from loading any non-same-origin resources which don't explicitly grant the
> document permission to be loaded. Using COEP and COOP together allows
> developers to safely use powerful features such as SharedArrayBuffer,
> performance.measureMemory(), and the JS Self-Profiling API. COOP and COEP are
> now supported by all major browsers.
> A COOP request cycle listener will be implemented to add COOP headers to HTTP
> responses, allowing developers to configure COOP to use unsafe-none,
> same-origin or same-origin-allow-popups. Finally, developers will be able to
> disable COOP entirely for a set of exempted paths that are intended to be
> used cross-site.
> A separate COEP request cycle listener will be implemented to add COEP
> headers to HTTP responses, similarly, this listener will allow developers to
> configure COEP to use the report-only or enforcing headers, to use COEP in
> reporting or enforcing mode. The COEP listener will also allow developers to
> disable COEP entirely for a set of exempted paths.
> References:
> https://web.dev/why-coop-coep/
> https://web.dev/coop-coep/
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
