search

simonw / simonwillisonblog

The source code behind my blog
https://simonwillison.net/
Apache License 2.0
203 stars 19 forks source link

Cross-Origin-Opener-Policy: same-origin breaks Hypothesis web annotation software #498

Closed simonw closed 1 month ago

simonw commented 1 month ago

See:

simonw commented 1 month ago

This is a Django default: https://docs.djangoproject.com/en/5.1/ref/middleware/#cross-origin-opener-policy

If a document that is isolated in this way opens a cross-origin popup window, the popup's window.opener property will be null. Isolating windows using COOP is a defense-in-depth protection against cross-origin attacks, especially those like Spectre which allowed exfiltration of data loaded into a shared browsing context.

I'm going to turn this off - if I was a fancy web app I'd worry about it, but for a mostly static blog I don't think it matters.

simonw commented 1 month ago

Before:

curl -I 'https://simonwillison.net/2023/Aug/27/wordcamp-llms/'
HTTP/2 200 
date: Sat, 19 Oct 2024 05:19:30 GMT
content-type: text/html; charset=utf-8
report-to: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1729311460&sid=c46efe9b-d3d2-4a0c-8c76-bfafa16c5add&s=RS%2FetdVhwLDCX%2B%2BaZxvONGb3cNBMjY5hkeZRQcc8f6c%3D"}]}
reporting-endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1729311460&sid=c46efe9b-d3d2-4a0c-8c76-bfafa16c5add&s=RS%2FetdVhwLDCX%2B%2BaZxvONGb3cNBMjY5hkeZRQcc8f6c%3D
nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
django-composition: My Serenade
x-content-type-options: nosniff
referrer-policy: same-origin
cross-origin-opener-policy: same-origin
via: 1.1 vegur
cf-cache-status: HIT
age: 3709
last-modified: Sat, 19 Oct 2024 04:17:41 GMT
accept-ranges: bytes
server: cloudflare
cf-ray: 8d4e50449d9acea0-SJC
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=20229&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2906&recv_bytes=566&delivery_rate=139270&cwnd=139&unsent_bytes=0&cid=22a8498181108e9a&ts=44&x=0"

After:

HTTP/2 200 
date: Sat, 19 Oct 2024 05:20:02 GMT
content-type: text/html; charset=utf-8
report-to: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1729315202&sid=c46efe9b-d3d2-4a0c-8c76-bfafa16c5add&s=F%2FyEEPzcFRuarQlnU3a53NDkFR3wSOn65afWDPxxrvI%3D"}]}
reporting-endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1729315202&sid=c46efe9b-d3d2-4a0c-8c76-bfafa16c5add&s=F%2FyEEPzcFRuarQlnU3a53NDkFR3wSOn65afWDPxxrvI%3D
nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
django-composition: Deccaphonie
x-content-type-options: nosniff
referrer-policy: same-origin
via: 1.1 vegur
cf-cache-status: EXPIRED
last-modified: Sat, 19 Oct 2024 05:20:02 GMT
accept-ranges: bytes
server: cloudflare
cf-ray: 8d4e510d2adc169e-SJC
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=23729&sent=6&recv=12&lost=0&retrans=0&sent_bytes=2906&recv_bytes=597&delivery_rate=103925&cwnd=114&unsent_bytes=0&cid=4e5b1c44b509e76d&ts=332&x=0"