Add Cross-Origin-Opener-Policy header to login pages

[JGpGH]

Cross-Origin-Opener-Policy header on login pages

Problem

It seems like by default the 0Auth Autorize page and perhaps other login pages do not have the Cross-Origin-Opener-Policy header present making the pages vulnerable to cross-site leaks. Combined with social engineering, an attacker could get enough information and control from the child window to take over someone's account by redirecting to the wrong 0Auth app.

Solution

Add Cross-Origin-Opener-Policy: same-origin header to login pages

Alternatives/workarounds

One alternative would be to inject the following in all login pages to close the application whenever it's opened from any other window

The second one (probably the most secure and clean) is to use a K8 egress to add the header on all login pages; However the latter requires a little more complex deployment setup.

Related

• https://github.com/FusionAuth/fusionauth-issues/issues/1510
• https://github.com/FusionAuth/fusionauth-issues/issues/2095
• https://github.com/FusionAuth/fusionauth-issues/issues/2847

[mooreds]

Thanks for the suggestion @JGpGH !