Include Cross-Origin-Opener-Policy in default response headers (#147874)

Part of #141780 ## Release notes Include Cross-Origin-Opener-Policy in default response headers ## Testing Load Kibana; you should see Kibana respond with `Cross-Origin-Opener-Policy: same-origin` header for page loads and API requests.
2025-04-24 09:48:58 -04:00 · 2022-12-21 15:27:15 +00:00 · 2022-12-21 15:27:15 +00:00 · b184f0615e
commit b184f0615e
parent 390d22aae7
13 changed files with 56 additions and 1 deletions
--- a/docs/setup/settings.asciidoc
+++ b/docs/setup/settings.asciidoc
@ -418,6 +418,10 @@ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options[`X-Fra
 {kib} in other webpages using iframes. When set to `true`, secure headers are used to disable embedding, which adds the `frame-ancestors:
 'self'` directive to the `Content-Security-Policy` response header and adds the `X-Frame-Options: SAMEORIGIN` response header. *Default:* `false`

+[[server-securityResponseHeaders-crossOriginOpenerPolicy]] `server.securityResponseHeaders.crossOriginOpenerPolicy`::
+Controls whether the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy[`Cross-Origin-Opener-Policy`] header is used in all
+responses to the client from the {kib} server, and specifies what value is used. Allowed values are `unsafe-none`, `same-origin-allow-popups`, `same-origin`, or `null`. To disable, set to `null`. *Default:* `"same-origin"`
+
 `server.customResponseHeaders` {ess-icon}::
 Header names and values to send on all responses to the client from the {kib} server. *Default: `{}`*

--- a/packages/core/http/core-http-server-internal/src/snapshots/http_config.test.ts.snap
+++ b/packages/core/http/core-http-server-internal/src/snapshots/http_config.test.ts.snap
@ -69,6 +69,7 @@ Object {
  },
  "rewriteBasePath": false,
  "securityResponseHeaders": Object {
+    "crossOriginOpenerPolicy": "same-origin",
    "disableEmbedding": false,
    "permissionsPolicy": null,
    "referrerPolicy": "no-referrer-when-downgrade",
--- a/packages/core/http/core-http-server-internal/src/security_response_headers_config.test.ts
+++ b/packages/core/http/core-http-server-internal/src/security_response_headers_config.test.ts
@ -18,6 +18,7 @@ describe('parseRawSecurityResponseHeadersConfig', () => {
    expect(result.disableEmbedding).toBe(false);
    expect(result.securityResponseHeaders).toMatchInlineSnapshot(`
      Object {
+        "Cross-Origin-Opener-Policy": "same-origin",
        "Referrer-Policy": "no-referrer-when-downgrade",
        "X-Content-Type-Options": "nosniff",
      }
@ -96,4 +97,21 @@ describe('parseRawSecurityResponseHeadersConfig', () => {
      expect(result.disableEmbedding).toBe(true);
    });
  });
+
+  describe('crossOriginOpenerPolicy', () => {
+    it('a custom value results in the expected Cross-Origin-Opener-Policy header', () => {
+      const crossOriginOpenerPolicy = 'same-origin-allow-popups';
+      const config = schema.validate({ crossOriginOpenerPolicy });
+      const result = parse(config);
+      expect(result.securityResponseHeaders['Cross-Origin-Opener-Policy']).toEqual(
+        crossOriginOpenerPolicy
+      );
+    });
+
+    it('a null value removes the Cross-Origin-Opener-Policy header', () => {
+      const config = schema.validate({ crossOriginOpenerPolicy: null });
+      const result = parse(config);
+      expect(result.securityResponseHeaders['Cross-Origin-Opener-Policy']).toBeUndefined();
+    });
+  });
 });
--- a/packages/core/http/core-http-server-internal/src/security_response_headers_config.ts
+++ b/packages/core/http/core-http-server-internal/src/security_response_headers_config.ts
@ -38,6 +38,16 @@ export const securityResponseHeadersSchema = schema.object({
    defaultValue: null,
  }),
  disableEmbedding: schema.boolean({ defaultValue: false }), // is used to control X-Frame-Options and CSP headers
+  crossOriginOpenerPolicy: schema.oneOf(
+    // See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
+    [
+      schema.literal('unsafe-none'),
+      schema.literal('same-origin-allow-popups'),
+      schema.literal('same-origin'),
+      schema.literal(null),
+    ],
+    { defaultValue: 'same-origin' }
+  ),
 });

 /**
@ -64,6 +74,9 @@ export function parseRawSecurityResponseHeadersConfig(
  if (raw.permissionsPolicy) {
    securityResponseHeaders['Permissions-Policy'] = raw.permissionsPolicy;
  }
+  if (raw.crossOriginOpenerPolicy) {
+    securityResponseHeaders['Cross-Origin-Opener-Policy'] = raw.crossOriginOpenerPolicy;
+  }
  if (disableEmbedding) {
    securityResponseHeaders['X-Frame-Options'] = 'SAMEORIGIN';
  }
--- a/packages/core/usage-data/core-usage-data-server-internal/src/core_usage_data_service.test.ts
+++ b/packages/core/usage-data/core-usage-data-server-internal/src/core_usage_data_service.test.ts
@ -308,6 +308,7 @@ describe('CoreUsageDataService', () => {
                },
                "rewriteBasePath": false,
                "securityResponseHeaders": Object {
+                  "crossOriginOpenerPolicy": "same-origin",
                  "disableEmbedding": false,
                  "permissionsPolicyConfigured": false,
                  "referrerPolicy": "no-referrer-when-downgrade",
--- a/packages/core/usage-data/core-usage-data-server-internal/src/core_usage_data_service.ts
+++ b/packages/core/usage-data/core-usage-data-server-internal/src/core_usage_data_service.ts
@ -325,6 +325,7 @@ export class CoreUsageDataService
              http.securityResponseHeaders.permissionsPolicy ?? undefined
            ),
            disableEmbedding: http.securityResponseHeaders.disableEmbedding,
+            crossOriginOpenerPolicy: http.securityResponseHeaders.crossOriginOpenerPolicy ?? 'NULL',
          },
        },

--- a/packages/core/usage-data/core-usage-data-server-mocks/src/core_usage_data_service.mock.ts
+++ b/packages/core/usage-data/core-usage-data-server-mocks/src/core_usage_data_service.mock.ts
@ -105,6 +105,7 @@ const createStartContractMock = () => {
              referrerPolicy: 'no-referrer-when-downgrade',
              permissionsPolicyConfigured: false,
              disableEmbedding: false,
+              crossOriginOpenerPolicy: 'same-origin',
            },
            xsrf: {
              disableProtection: false,
--- a/packages/core/usage-data/core-usage-data-server/src/core_usage_data.ts
+++ b/packages/core/usage-data/core-usage-data-server/src/core_usage_data.ts
@ -116,6 +116,7 @@ export interface CoreConfigUsageData {
      referrerPolicy: string;
      permissionsPolicyConfigured: boolean;
      disableEmbedding: boolean;
+      crossOriginOpenerPolicy: string;
    };
  };

--- a/src/core/server/integration_tests/http/lifecycle_handlers.test.ts
+++ b/src/core/server/integration_tests/http/lifecycle_handlers.test.ts
@ -60,6 +60,7 @@ describe('core lifecycle handlers', () => {
            xContentTypeOptions: 'nosniff',
            referrerPolicy: 'strict-origin-when-cross-origin',
            permissionsPolicy: null,
+            crossOriginOpenerPolicy: 'same-origin',
          },
          customResponseHeaders: {
            'some-header': 'some-value',
--- a/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker
+++ b/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker
@ -165,6 +165,7 @@ kibana_vars=(
    server.securityResponseHeaders.referrerPolicy
    server.securityResponseHeaders.strictTransportSecurity
    server.securityResponseHeaders.xContentTypeOptions
+    server.securityResponseHeaders.crossOriginOpenerPolicy
    server.shutdownTimeout
    server.socketTimeout
    server.ssl.cert
--- a/src/plugins/kibana_usage_collection/server/collectors/core/core_usage_collector.ts
+++ b/src/plugins/kibana_usage_collection/server/collectors/core/core_usage_collector.ts
@ -277,6 +277,12 @@ export function getCoreUsageCollector(
                  'Indicates if security headers to disable embedding have been configured.',
              },
            },
+            crossOriginOpenerPolicy: {
+              type: 'keyword',
+              _meta: {
+                description: 'The crossOriginOpenerPolicy response header, "NULL" if disabled.',
+              },
+            },
          },
        },

--- a/src/plugins/kibana_usage_collection/server/collectors/core/core_usage_data.ts
+++ b/src/plugins/kibana_usage_collection/server/collectors/core/core_usage_data.ts
@ -253,6 +253,7 @@ export interface CoreConfigUsageData {
      referrerPolicy: string;
      permissionsPolicyConfigured: boolean;
      disableEmbedding: boolean;
+      crossOriginOpenerPolicy: string;
    };
  };

--- a/src/plugins/telemetry/schema/oss_plugins.json
+++ b/src/plugins/telemetry/schema/oss_plugins.json
@ -6758,6 +6758,12 @@
                      "_meta": {
                        "description": "Indicates if security headers to disable embedding have been configured."
                      }
+                    },
+                    "crossOriginOpenerPolicy": {
+                      "type": "keyword",
+                      "_meta": {
+                        "description": "The crossOriginOpenerPolicy response header, \"NULL\" if disabled."
+                      }
                    }
                  }
                }
@ -10549,4 +10555,4 @@
      }
    }
  }
-}
+}