NelmioSecurityBundle icon indicating copy to clipboard operation
NelmioSecurityBundle copied to clipboard
verified publisher icon nelmio

Add Cross-Origin Policy feature with configurable headers (COEP, COOP, CORP)

Open Spomky opened this issue 5 months ago • 5 comments

Hi,

This is a first attempt at addressing #371. Feedback is very welcome. Pease let me know if anything should be adjusted or improved.

EDIT: default values TBD.

Kind Regards,

Spomky avatar Jul 29 '25 09:07 Spomky

Codecov Report

:x: Patch coverage is 96.22642% with 2 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 95.78%. Comparing base (7de9ce4) to head (3a14763). :warning: Report is 33 commits behind head on master.

Files with missing lines Patch % Lines
src/ContentSecurityPolicy/PolicyManager.php 0.00% 1 Missing :warning:
src/EventListener/CrossOriginPolicyListener.php 90.90% 1 Missing :warning:
Additional details and impacted files 
@@             Coverage Diff              @@
##             master     #372      +/-   ##
============================================
- Coverage     95.90%   95.78%   -0.13%     
- Complexity      443      469      +26     
============================================
  Files            53       58       +5     
  Lines          1979     2015      +36     
============================================
+ Hits           1898     1930      +32     
- Misses           81       85       +4

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov-commenter avatar Jul 29 '25 09:07 codecov-commenter

Default values are the default values from browsers right? At least I think that is what I would use as default..

Implementation looks good to me, thanks!

It needs a rebase though, and it'd still be great to update the docs (https://github.com/nelmio/NelmioSecurityBundle/blob/master/src/Resources/doc/index.rst), and to also add it to the Maximum Security Configuration with all same-origin values I suppose? Not sure what's best for COEP.

Seldaek avatar Nov 29 '25 10:11 Seldaek

OK noted. I'll rebase and add sections in the documentation. Regards.

Yes the default values are the one taken from the header specification pages:

  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy#unsafe-none
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy#unsafe-none

Howver I will revert it and set null instead meaning the headers are absent.

Spomky avatar Dec 08 '25 07:12 Spomky

Hi @Seldaek. I've made the following changes:

  • Documentation added
  • Tests added
  • Path-based configuration
  nelmio_security:
      cross_origin_isolation:
          enabled: true
          paths:
              # Strict isolation for admin area
              '^/admin':
                  coep: require-corp
                  coop: same-origin
                  corp: same-origin
              # More permissive for API
              '^/api':
                  coep: unsafe-none
                  corp: cross-origin
              # Default for everything else
              '^/.*':
                  coep: unsafe-none
                  coop: unsafe-none
                  corp: same-site

Let me know if you'd like any other changes. Note that I do not understand failing tests.

Spomky avatar Dec 11 '25 15:12 Spomky

Ok a few changes and all tests pass. It is now possible to configure the headers with the report only or report features.

# Basic:
    coep: require-corp
    coop: same-origin

# Is equivalent to:
    coep:
        value: require-corp
        report_only: false
        report_to: null
    coop:
        value: same-origin
        report_only: false
        report_to: null

Spomky avatar Dec 12 '25 13:12 Spomky