eozmen410 opened a new pull request #442: URL: https://github.com/apache/wicket/pull/442
Hello Wicket devs! This PR adds Cross-Origin Opener Policy and Cross-Origin Embedder Policy support for Wicket. COOP is a security mitigation that lets developers isolate their resources against side-channel attacks and information leaks. COEP prevents a document from loading any non-same-origin resources which don't explicitly grant the document permission to be loaded. COOP and COEP are independent mechanisms and they can be enabled, tested and deployed separately. Using COEP and COOP together allows developers to safely use powerful features such as `SharedArrayBuffer`, `performance.measureMemory()`, and the JS Self-Profiling API. Both COOP and COEP require adding headers to the response. COOP and COEP are now supported by all major browsers. See [https://web.dev/why-coop-coep/](https://web.dev/why-coop-coep/) for reference. Here's a summary of all the changes: * We have added 2 new request cycle listeners, the `CoopRequestCycleListener` and `CoepRequestCycleListener` to handle adding the headers for the respective security mitigations. * The listeners can be configured using the `CoopConfiguration` and `CoepConfiguration` classes that use the builder pattern for ease of use by Wicket users. * Using `CoopConfiguration` Wicket users will be able to specify the policy they want for COOP (`same-origin`, `same-origin-allow-popups` or `unsafe-none`) and add exempted paths to specify the endpoints for which COOP will not be enabled. * Similarly using `CoepConfiguration` Wicket users will be able to add exempted paths for which COEP will be disabled and specify if they want COEP to be enforcing (header set as `Cross-Origin-Embedder-Policy`) or reporting (header set as `Cross-Origin-Embedder-Policy-Report-Only`) * We have added 2 new methods to the `WebApplication` class to make it convenient for users to `enableCoop` and `enableCoep`. Here are sample uses of enabling these mechnisms, in the `init()` method of the `WebApplication`: ``` //enabling Cross-Origin Opener Policy enableCoop(new CoopConfiguration.Builder() .withMode(CoopMode.SAME_ORIGIN).withExemptions("<exemptions>").build()); //enabling Cross-Origin Embedder Policy enableCoep(new CoepConfiguration.Builder() .withMode(CoepMode.ENFORCING).withExemptions("<exemptions>").build()); ``` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
