FEATURE: Add hidden site setting to list 'unsafe-none' COOP referrers (#27510)

Some tooling may rely on an unsafe-none cross origin opener policy to work. This change adds a hidden site setting that can be used to list referrers where we add this header instead of the default one configured in cross_origin_opener_policy_header.
2025-05-23 13:21:01 +08:00 · 2024-06-19 11:11:35 +08:00
parent 489aac3fdd
commit 3ff7ce78e7
3 changed files with 41 additions and 1 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -1008,7 +1008,14 @@ class ApplicationController < ActionController::Base
  end

  def set_cross_origin_opener_policy_header
-    response.headers["Cross-Origin-Opener-Policy"] = SiteSetting.cross_origin_opener_policy_header
+    response.headers["Cross-Origin-Opener-Policy"] = if SiteSetting
+         .cross_origin_opener_unsafe_none_referrers
+         .split("|")
+         .include?(request.referrer&.split("://")&.last)
+      "unsafe-none"
+    else
+      SiteSetting.cross_origin_opener_policy_header
+    end
  end

  protected