COOP and COEP - Report Only Mode Feature Request

[sricharankrishnan]

Hello Team Helmet! Thank you so much for this awesome piece of tech you guys have built. I've just been recently exposed to various HTTP headers that can help improve application security. I came across this article written by Scott Helme @ https://scotthelme.co.uk/coop-and-coep/

My question is: can we get a Cross-Origin-Embedder-Policy-Report-Only and Cross-Origin-Opener-Policy-Report-Only mode for helmet. Even for the current version. I think it would be a great add on for us to understand these features.

What are your thoughts on this please?

Cheers and grateful once again for your support and kindness.

[EvanHahn]

This would be good to add. I can take a look at this, but probably not for the next few days.

[sricharankrishnan]

Sure thank you Evan.

[EvanHahn]

I'm looking into this and have found a few things:

1. The HTML spec says that the report-to "parameter can have a valid URL string", which is different from the doc on Scott Helme's post.
2. This feature is not super well-documented, and I'm not sure about browser support. Has anyone found browser support notes for this feature?

[sricharankrishnan]

Hello Evan,

Here is information from MDN regarding browser support

1. COOP - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
2. COEP - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy

I also came across this Web.Dev https://web.dev/coop-coep/

There is a reference to the Report URI system. Any way you can think about integrating with that may be? Or am I missing something Evan?

[EvanHahn]

The web.dev post says that Chrome supports the report-to feature, and they document it with an identifier (like coep_report) instead of a full URL (like the spec mentions).

I tried to set it up in a sample app but couldn't get it to work in Chrome, Firefox, or Brave. Is this something you've been able to get working?

[sricharankrishnan]

I will read the docs that I had proposed once again and see if I can come up with something to contribute to this. Apologies for my slightly delayed response, been busy with some work.

Will write in when I've found something.

[EvanHahn]

No worries! Take your time.

[sricharankrishnan]

Hello Evan, Hope you had a good weekend. After a long day, here is what I can find out about our COOP and COEP friends

1. The report only mode comes in with Chrome 96 I believe so as per that web dev article they are suggesting that we start migrating towards "Reporting-Endpoint" header over a certain period of time
2. However for now, we would need to use the "report-to" header. Take a look at the attachments below.
3. Not sure why but I cannot get this to run on localhost
4. I needed to create a free account with Report URI.com by Scott Helme and it works like a charm giving me the details of the COEP errors
5. You may need to experiment with COEP-Report-Only and see how this works
6. I am available for a google meet call if you are interested for a demo. let me know.

[EvanHahn]

Thanks so much for looking into this. Strange that it doesn't work on localhost...maybe that was my problem.

I'll take another look, though it probably won't be for a little while. Thanks for this!

[EvanHahn]

I looked into this and here's my plan:

In general, I don't want to add things to Helmet if the standard is still in process. For example, I did that with Feature-Policy, and regret it. I've tried to learn my lesson and haven't added other features to Helmet that are still in flux (see #234).

To that end, I'm going to leave this feature request open but I don't think I'm going to make changes to Helmet yet. However, it's pretty easy to add these headers yourself if you want to try them. Let me know if that's something you want and I can put a code snippet together.

[sricharankrishnan]

Hello Evan,

I completely understand how you feel. Sure from a creator's perspective you wish to add features that are current and stable. Not something that is just upcoming. May be this is worth exploring in the future.

Additionally, I have even read a couple of research papers on HTTP Security headers and this is just about catching up and people are becoming aware of this. I will leave to you guys to have this feature added at your convenience.

But grateful for writing back. Wishing you a nice day. I am closing this from my side.

[EvanHahn]

Thanks for your response. I still think this is a valid issue—would you mind if I reopened it?

[sricharankrishnan]

Absolutely. I am happy to have this re-opened for you Evan. Let me know if you need something and I'll do my best to help. Have a nice day.

[EvanHahn]

@sricharankrishnan Is this still a feature you want? If not, I may close this issue.

[sricharankrishnan]

Dear Evan,

Perhaps we can skip this for now.

Maybe a future visit would be more appropriate, it's been a long time since I've visited this.

Grateful for you reaching out.

On Sat, Apr 8, 2023 at 10:43 PM Evan Hahn @.***> wrote:

Assigned #336 https://github.com/helmetjs/helmet/issues/336 to @sricharankrishnan https://github.com/sricharankrishnan.

— Reply to this email directly, view it on GitHub https://github.com/helmetjs/helmet/issues/336#event-8957918331, or unsubscribe https://github.com/notifications/unsubscribe-auth/AESMMHR5Q5FNQHLJZQ5OTG3XAGMB7ANCNFSM5IJ7V3FA . You are receiving this because you were assigned.Message ID: @.***>

-- [image: created with MySignature.io] https://mysignature.io/?utm_source=logo Sricharan Krishnan Software Developer m: +91-9790778163 w: sricharankrishnan.github.io https://mysig.io/eOGzVxWp e: @.*** [image: created with MySignature.io] https://mysig.io/vKexJ0lE [image: created with MySignature.io] https://mysignature.io/editor/?utm_source=freepixel [image: Please consider the environment before printing this email] Please consider the environment before printing this email

[image: Create your own signature] https://mysignature.io/?utm_source=promotion&utm_medium=signature&utm_campaign=create_own_signature

[EvanHahn]

Sounds good.

I'm going to close this issue but let me know if you want me to reopen this, or if you have any other issues or requests!