Re: [Django] #31840: Adding Support for Cross-Origin Opener Policy

2020-10-25 Thread Django 
#31840: Adding Support for Cross-Origin Opener Policy
-+-
 Reporter:  meggles711   |Owner:
 |  meggles711
 Type:  New feature  |   Status:  assigned
Component:  HTTP handling|  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  COOP, security,  | Triage Stage:  Accepted
  headers|
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  1
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak):

 * needs_better_patch:  0 => 1


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/068.1660e8054dedacc7c62c43725dbc36a6%40djangoproject.com.

Re: [Django] #31840: Adding Support for Cross-Origin Opener Policy

2020-10-25 Thread Django 
#31840: Adding Support for Cross-Origin Opener Policy
-+-
 Reporter:  meggles711   |Owner:
 |  meggles711
 Type:  New feature  |   Status:  assigned
Component:  HTTP handling|  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  COOP, security,  | Triage Stage:  Accepted
  headers|
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Jacob Walls):

 * has_patch:  0 => 1


Comment:

 Hi Megan, I'm linking your patch and ticking Has Patch to increase
 visibility for reviewers. In the meantime, would you be able to rebase?

 [https://github.com/django/django/pull/13351 PR]

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/068.bc63792ba8df2aa3b67c8e64594cbf46%40djangoproject.com.

Re: [Django] #31840: Adding Support for Cross-Origin Opener Policy

2020-07-30 Thread Django 
#31840: Adding Support for Cross-Origin Opener Policy
-+-
 Reporter:  meggles711   |Owner:
 |  meggles711
 Type:  New feature  |   Status:  assigned
Component:  HTTP handling|  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  COOP, security,  | Triage Stage:  Accepted
  headers|
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by meggles711):

 Okay, sounds good, I'll cc some other developers and have them review my
 code before I make a pull request. I'll also check out the thread you
 started on the mailing list.

 I was considering pitching adding support for COOP and another header
 called Cross-Origin Embedder Policy (COEP) in the same issue. However,
 COEP relies on having a specific CORS or CORP header setting which Django
 doesn't currently have support for right now either. Maybe I consider
 tackling COEP and CORS/CORP now as well so that they don't have to be
 raised as 2 additional issues that are just adding security headers?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/068.f905702abea8f8c73ac4233ac78f665a%40djangoproject.com.

Re: [Django] #31840: Adding Support for Cross-Origin Opener Policy

2020-07-30 Thread Django 
#31840: Adding Support for Cross-Origin Opener Policy
-+-
 Reporter:  meggles711   |Owner:
 |  meggles711
 Type:  New feature  |   Status:  assigned
Component:  HTTP handling|  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  COOP, security,  | Triage Stage:  Accepted
  headers|
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Carlton Gibson):

 * cc: Florian Apolloner (added)


Comment:

 Noting also #31425 and #30729 are more or less the same as well. ("Add
 support for a header...")

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/068.3938078a1e3439d00bdc705fa5366b84%40djangoproject.com.

Re: [Django] #31840: Adding Support for Cross-Origin Opener Policy

2020-07-30 Thread Django 
#31840: Adding Support for Cross-Origin Opener Policy
-+-
 Reporter:  meggles711   |Owner:
 |  meggles711
 Type:  New feature  |   Status:  assigned
Component:  HTTP handling|  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  COOP, security,  | Triage Stage:  Accepted
  headers|
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Carlton Gibson):

 * cc: Adam (Chainz) Johnson, Nick Pope (added)
 * stage:  Unreviewed => Accepted


Comment:

 OK, thanks. I'll provisionally Accept this, but cc a couple of people
 who've been involved before here, and also
 [https://groups.google.com/d/topic/django-
 developers/WJAbbwJKp30/discussion I've raised a question on the mailing
 list], since I'm not sure about ''just keep adding settings'' as the best
 approach here. (Maybe we adjust the "Accept" to something else...?)

 #30746 is the same ballpark here for Permissions-Policy

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/068.e7449ae4f9ad21bfbec0378e44ec8ed3%40djangoproject.com.

Re: [Django] #31840: Adding Support for Cross-Origin Opener Policy

2020-07-29 Thread Django 
#31840: Adding Support for Cross-Origin Opener Policy
-+-
 Reporter:  meggles711   |Owner:
 |  meggles711
 Type:  New feature  |   Status:  assigned
Component:  HTTP handling|  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  COOP, security,  | Triage Stage:
  headers|  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by meggles711):

 * owner:  nobody => meggles711
 * status:  new => assigned


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/068.45eae7f9fa9be346fcc397b6c0cb649b%40djangoproject.com.

[Django] #31840: Adding Support for Cross-Origin Opener Policy

2020-07-29 Thread Django 
#31840: Adding Support for Cross-Origin Opener Policy
-+-
   Reporter: |  Owner:  nobody
  meggles711 |
   Type:  New| Status:  new
  feature|
  Component:  HTTP   |Version:  master
  handling   |   Keywords:  COOP, security,
   Severity:  Normal |  headers
   Triage Stage: |  Has patch:  0
  Unreviewed |
Needs documentation:  0  |Needs tests:  0
Patch needs improvement:  0  |  Easy pickings:  0
  UI/UX:  0  |
-+-
 I would like to add support for the cross-origin Opener Policy header in
 Django.

 **What is Cross-Origin Opener Policy?**
 Cross-origin opener policy (COOP) is an HTTP header that protects against
 cross-origin attacks when set. This is a relatively new security feature
 that would add protection to Django

 Historically, CORS has been sufficient in protecting against these attacks
 by confirming that a server intends to share a resource with a given
 origin. Spectre, a vulnerability in modern processors, has made any data
 loaded into the same browsing context potentially vulnerable. COOP is used
 to tell browsers to open resources so that they are loaded within separate
 browsing contexts preventing information leaks.

 COOP isolates top level windows from other documents by loading them in a
 different browsing context. This means that all cross-origin requests can
 be vetted by the server that owns the resource.

 This header can be set to same-origin, same-origin-allow-popups, or
 unsafe-none.  Documents marked same-origin can only be in the same
 browsing context as other documents from the same origin that are also
 marked same-origin. Documents marked as same-origin-allow-popups can
 maintain references to pop ups if they do not have the COOP header set or
 if they are marked as unsafe-none. Documents marked as unsafe-none can be
 added to the opener’s browsing context unless the opener is marked same-
 origin.

 With COOP, developers can finely control cross origin access to each
 document in their application. You can read more about COOP in the
 [https://html.spec.whatwg.org/multipage/origin.html#the-cross-origin-
 opener-policy-header spec].


 **Proposed Changes to Django**

 Django users should have the ability to set the COOP header. This can be
 implemented in a similar way to the Referrer-Policy header in the security
 middleware. The header will be added to the response in the
 process_response function. The header should default to same-origin as
 this is the most secure setting.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/053.056836eb8217207d138476234b27ea8e%40djangoproject.com.