From 3a0e8d0daabe364a0e3f5543aab0d742b01bb99f Mon Sep 17 00:00:00 2001 From: Magnus Hagander Date: Wed, 27 Aug 2025 16:17:47 +0200 Subject: [PATCH] Add support or setting Cross-Origin-Opener-Policy header And default it to same-origin, the most locked down value. I don't think we need to allow it anywhere, but having this decorator makes it possible to override if needed. --- pgweb/util/decorators.py | 11 +++++++++++ pgweb/util/middleware.py | 2 ++ 2 files changed, 13 insertions(+) diff --git a/pgweb/util/decorators.py b/pgweb/util/decorators.py index dbd39e58..b6e67b80 100644 --- a/pgweb/util/decorators.py +++ b/pgweb/util/decorators.py @@ -57,6 +57,17 @@ def allow_frames(fn): return _allow_frames +def origin_opener_policy(policy): + def _origin_opener_policy(fn): + def __origin_opener_policy(request, *_args, **_kwargs): + resp = fn(request, *_args, **_kwargs) + resp.x_origin_opener_policy = policy + + return resp + return __origin_opener_policy + return _origin_opener_policy + + def content_sources(what, source): def _script_sources(fn): def __script_sources(request, *_args, **_kwargs): diff --git a/pgweb/util/middleware.py b/pgweb/util/middleware.py index 28868459..402ac2eb 100644 --- a/pgweb/util/middleware.py +++ b/pgweb/util/middleware.py @@ -75,6 +75,8 @@ class PgMiddleware(object): else: response['Content-Security-Policy'] = " ; ".join(security_policies) + response['Cross-Origin-Opener-Policy'] = getattr(response, 'x_origin_opener_policy', 'same-origin') + response['X-XSS-Protection'] = "1; mode=block" return response -- 2.39.5