Add support for Cross-Origin security headers (COOP, CORP, COEP)

[Copilot]

Implements support for three additional Cross-Origin HTTP security headers as requested in #81:

• Cross-Origin-Opener-Policy (COOP) - Controls whether a document can share a browsing context group with cross-origin documents
• Cross-Origin-Resource-Policy (CORP) - Controls which origins can load the resource
• Cross-Origin-Embedder-Policy (COEP) - Prevents loading cross-origin resources without explicit permission

New Configuration Directives

security_headers_coop

security_headers_coop same-origin;

• Values: unsafe-none, same-origin-allow-popups, same-origin, omit
• Default: omit
• Ensures top-level documents don't share browsing context with cross-origin documents
• Required for enabling powerful browser features like SharedArrayBuffer

security_headers_corp

security_headers_corp same-origin;

• Values: same-site, same-origin, cross-origin, omit
• Default: omit
• Controls which origins can load the resource via <img>, <script>, <link>, etc.

security_headers_coep

security_headers_coep require-corp;

• Values: unsafe-none, require-corp, omit
• Default: omit
• Prevents loading cross-origin resources without explicit CORP permission
• Works with COOP to enable cross-origin isolation

Example Usage

Enable cross-origin isolation for a secure application:

server {
    listen 443 ssl;
    server_name app.example.com;
    
    security_headers on;
    security_headers_coop same-origin;
    security_headers_corp same-origin;
    security_headers_coep require-corp;
    
    location / {
        # Your application
    }
}

This configuration enables modern browser features that require cross-origin isolation while maintaining security.

Implementation Details

• All three headers default to omit to avoid breaking existing sites
• Can be configured at http, server, or location level with proper inheritance
• Follows the same pattern as existing headers (security_headers_xss, security_headers_frame, etc.)
• Comprehensive test coverage with 12 new tests
• Complete documentation in README

References

• OWASP Secure Headers Project
• Scott Helme: COOP and COEP
• MDN: Cross-Origin-Opener-Policy
• MDN: Cross-Origin-Resource-Policy
• MDN: Cross-Origin-Embedder-Policy

Fixes #81

[!WARNING]

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• nginx.org
  • Triggering command: wget -O - REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Feature Request: Additional Cross-Origin headers (COOP CORP, COEP)</issue_title> <issue_description>Implement new upcoming HTTP Cross-Origin headers.

Sources:

• https://owasp.org/www-project-secure-headers/
• https://scotthelme.co.uk/coop-and-coep/</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes GetPageSpeed/ngx_security_headers#17

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.