Fixed #31840 -- Added support for Cross-Origin Opener Policy header.

Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com>
2025-09-26 20:19:16 +00:00 · 2020-08-26 12:09:19 -04:00 · 2020-08-26 12:09:19 -04:00 · db5b75f10f
commit db5b75f10f
parent f6018c1e63
12 changed files with 175 additions and 5 deletions
--- a/tests/middleware/test_security.py
+++ b/tests/middleware/test_security.py
@ -282,3 +282,42 @@ class SecurityMiddlewareTest(SimpleTestCase):
        """
        response = self.process_response(headers={'Referrer-Policy': 'unsafe-url'})
        self.assertEqual(response.headers['Referrer-Policy'], 'unsafe-url')
+
+    @override_settings(SECURE_CROSS_ORIGIN_OPENER_POLICY=None)
+    def test_coop_off(self):
+        """
+        With SECURE_CROSS_ORIGIN_OPENER_POLICY set to None, the middleware does
+        not add a "Cross-Origin-Opener-Policy" header to the response.
+        """
+        self.assertNotIn('Cross-Origin-Opener-Policy', self.process_response())
+
+    def test_coop_default(self):
+        """SECURE_CROSS_ORIGIN_OPENER_POLICY defaults to same-origin."""
+        self.assertEqual(
+            self.process_response().headers['Cross-Origin-Opener-Policy'],
+            'same-origin',
+        )
+
+    def test_coop_on(self):
+        """
+        With SECURE_CROSS_ORIGIN_OPENER_POLICY set to a valid value, the
+        middleware adds a "Cross-Origin_Opener-Policy" header to the response.
+        """
+        tests = ['same-origin', 'same-origin-allow-popups', 'unsafe-none']
+        for value in tests:
+            with self.subTest(value=value), override_settings(
+                SECURE_CROSS_ORIGIN_OPENER_POLICY=value,
+            ):
+                self.assertEqual(
+                    self.process_response().headers['Cross-Origin-Opener-Policy'],
+                    value,
+                )
+
+    @override_settings(SECURE_CROSS_ORIGIN_OPENER_POLICY='unsafe-none')
+    def test_coop_already_present(self):
+        """
+        The middleware doesn't override a "Cross-Origin-Opener-Policy" header
+        already present in the response.
+        """
+        response = self.process_response(headers={'Cross-Origin-Opener-Policy': 'same-origin'})
+        self.assertEqual(response.headers['Cross-Origin-Opener-Policy'], 'same-origin')