Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider including Cross-Origin-Opener-Policy: same-origin to default response headers #141780

Closed
azasypkin opened this issue Sep 26, 2022 · 1 comment
Labels
enhancement New value added to drive a business result Feature:Hardening Harding of Kibana from a security perspective Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@azasypkin
Copy link
Member

azasypkin commented Sep 26, 2022

Summary

The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents. Refer to Reverse Tabnabbing to see a few examples of how harmful window.opener exposed to cross-origin documents can be.

We already add noopener by default to all external links, and this change wouldn't be a breaking change.

Pointers for implementation: #97158

Tasks

@azasypkin azasypkin added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! enhancement New value added to drive a business result Feature:Hardening Harding of Kibana from a security perspective labels Sep 26, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

thomheymann added a commit that referenced this issue Dec 21, 2022
Part of #141780 

## Release notes

Include Cross-Origin-Opener-Policy in default response headers

## Testing

Load Kibana; you should see Kibana respond with
`Cross-Origin-Opener-Policy: same-origin` header for page loads and API
requests.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New value added to drive a business result Feature:Hardening Harding of Kibana from a security perspective Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Development

No branches or pull requests

2 participants