DEV: Change default of cross_origin_opener_policy_header (#24940)

Why this change?

This is part of our efforts to harden the security of the Discourse
application. Setting the `CROSS_ORIGIN_OPENER_POLICY` header to `same-origin-allow-popups`
by default makes the application safer. We have opted to make this a
hidden site setting because most admins will never have to care about
this setting so we're are opting not to show it. If they do have to
change it, they can still do so by setting the
`DISCOURSE_CROSS_ORIGIN_OPENER_POLICY` env.
This commit is contained in:
Alan Guo Xiang Tan
2023-12-19 11:46:44 +08:00
committed by GitHub
parent 3380d283c9
commit 38abc0d922
3 changed files with 3 additions and 5 deletions

View File

@ -993,9 +993,7 @@ class ApplicationController < ActionController::Base
end
def set_cross_origin_opener_policy_header
if SiteSetting.cross_origin_opener_policy_header != "unsafe-none"
response.headers["Cross-Origin-Opener-Policy"] = SiteSetting.cross_origin_opener_policy_header
end
response.headers["Cross-Origin-Opener-Policy"] = SiteSetting.cross_origin_opener_policy_header
end
protected