Consider including Cross-Origin-Opener-Policy: same-origin
to default response headers
#141780
Labels
enhancement
New value added to drive a business result
Feature:Hardening
Harding of Kibana from a security perspective
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Summary
The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents. Refer to Reverse Tabnabbing to see a few examples of how harmful window.opener exposed to cross-origin documents can be.
We already add
noopener
by default to all external links, and this change wouldn't be a breaking change.Pointers for implementation: #97158
Tasks
server.securityResponseHeaders
to control sending of this header. Default issame-origin
.The text was updated successfully, but these errors were encountered: