New security headers: COOP, COEP, CORP and CORB

[philwareham]

There is a bunch of new security headers incoming, specifically COOP, COEP, CORP and CORB. We need to investigate which are appropriate to our family of sites.

Source: https://scotthelme.co.uk/coop-and-coep/

• Cross Origin Opener Policy (COOP) MDN
• Cross Origin Embedder Policy (COEP) MDN
• Cross Origin Resource Policy (CORP) MDN

Note that also Cross Origin Read Blocking (CORB) is mentioned, this depends on rules such as Access-Control-Allow-Origin: * not being used, which we currently do use (although I need to remember why we set this - there was a reason). EDIT: this was the reason.

[Bloke]

Great stuff.

EDit... OT but related: textpattern/textpattern#1681

[philwareham]

For reference (Apache): https://github.com/h5bp/server-configs-apache/blob/master/h5bp/security/cross-origin-policy.conf

[petecooper]

Also for ref h5bp/server-configs-nginx@25a569d

[philwareham]

Tentative rules for this (for Apache)...

Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Resource-Policy "same-site"
Header always set Cross-Origin-Embedder-Policy "require-corp"

...but that relies on CORS being set up properly to work, and that subject is a whole other level of confusing to me, so I'll defer to someone with better knowledge - or read more about it at some point in the future.