From 2dbc0e3b3d4b5eda63e27ff998ce87d1ad69ec04 Mon Sep 17 00:00:00 2001 From: Eric Mc Sween Date: Thu, 26 Jan 2023 14:39:10 -0500 Subject: [PATCH] Merge pull request #11489 from overleaf/em-fix-paypal Set COOP header to same-origin-allow-popups GitOrigin-RevId: c8c3751386addb307ee2caf59c228484e8e593c0 --- services/web/app/src/infrastructure/Server.js | 3 +++ services/web/test/acceptance/src/SecurityHeadersTests.js | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/services/web/app/src/infrastructure/Server.js b/services/web/app/src/infrastructure/Server.js index 086719b7c0..51da4016a9 100644 --- a/services/web/app/src/infrastructure/Server.js +++ b/services/web/app/src/infrastructure/Server.js @@ -272,6 +272,9 @@ webRouter.use( // Disabled because it's impractical to include every resource via CORS or // with the magic CORP header crossOriginEmbedderPolicy: false, + // We need to be able to share the context of some popups. For example, + // when Recurly opens Paypal in a popup. + crossOriginOpenerPolicy: { policy: 'same-origin-allow-popups' }, // Disabled because it's not a security header and has possibly-unwanted // effects originAgentCluster: false, diff --git a/services/web/test/acceptance/src/SecurityHeadersTests.js b/services/web/test/acceptance/src/SecurityHeadersTests.js index 8f8b0c1bec..aba148735b 100644 --- a/services/web/test/acceptance/src/SecurityHeadersTests.js +++ b/services/web/test/acceptance/src/SecurityHeadersTests.js @@ -23,7 +23,7 @@ const assert_has_common_headers = function (response) { 'x-download-options': 'noopen', 'x-xss-protection': '0', 'cross-origin-resource-policy': 'same-origin', - 'cross-origin-opener-policy': 'same-origin', + 'cross-origin-opener-policy': 'same-origin-allow-popups', 'x-content-type-options': 'nosniff', 'x-permitted-cross-domain-policies': 'none', 'referrer-policy': 'origin-when-cross-origin',