FEATURE: Use group based setting for unsafe-none COOP (#27783)

Followup 3ff7ce78e782c7d28c8b5a1a3f40a1de897d89a1 Basing this setting on referrer was too brittle -- the referrer header can easily be ommitted or changed. Instead, for the small amount of use cases that this site setting serves, we can use a group-based setting instead, changing it to `cross_origin_opener_unsafe_none_groups` instead.
2025-05-23 09:11:17 +08:00 · 2024-07-10 02:25:49 +10:00
parent a01be4150a
commit 7a7bdc9be5
4 changed files with 49 additions and 32 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -1023,16 +1023,11 @@ class ApplicationController < ActionController::Base
  end

  def set_cross_origin_opener_policy_header
-    response.headers[
-      "Cross-Origin-Opener-Policy"
-    ] = if SiteSetting.cross_origin_opener_unsafe_none_referrers.present? &&
-         SiteSetting
-           .cross_origin_opener_unsafe_none_referrers
-           .split("|")
-           .include?(UrlHelper.relaxed_parse(request.referrer.to_s)&.host)
-      "unsafe-none"
+    if current_user.present? && SiteSetting.cross_origin_opener_unsafe_none_groups_map.any? &&
+         current_user.in_any_groups?(SiteSetting.cross_origin_opener_unsafe_none_groups_map)
+      response.headers["Cross-Origin-Opener-Policy"] = "unsafe-none"
    else
-      SiteSetting.cross_origin_opener_policy_header
+      response.headers["Cross-Origin-Opener-Policy"] = SiteSetting.cross_origin_opener_policy_header
    end
  end