Fixed #31840 -- Added support for Cross-Origin Opener Policy header.

Thanks Adam Johnson and Tim Graham for the reviews.

Co-authored-by: Tim Graham <timograham@gmail.com>

docs/ref/checks.txt

@@ -417,8 +417,9 @@ The following checks are run if you use the :option:`check --deploy` option:
   :class:`django.middleware.security.SecurityMiddleware` in your
   :setting:`MIDDLEWARE` so the :setting:`SECURE_HSTS_SECONDS`,
   :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, :setting:`SECURE_BROWSER_XSS_FILTER`,
-  :setting:`SECURE_REFERRER_POLICY`, and :setting:`SECURE_SSL_REDIRECT`
-  settings will have no effect.
+  :setting:`SECURE_REFERRER_POLICY`,
+  :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY`, and
+  :setting:`SECURE_SSL_REDIRECT` settings will have no effect.
 * **security.W002**: You do not have
   :class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your
   :setting:`MIDDLEWARE`, so your pages will not be served with an
@@ -510,6 +511,8 @@ The following checks are run if you use the :option:`check --deploy` option:
   should consider enabling this header to protect user privacy.
 * **security.E023**: You have set the :setting:`SECURE_REFERRER_POLICY` setting
   to an invalid value.
+* **security.E024**: You have set the
+  :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY` setting to an invalid value.
 
 The following checks verify that your security-related settings are correctly
 configured:

docs/ref/middleware.txt

@@ -198,6 +198,7 @@ enabled or disabled with a setting.
 
 * :setting:`SECURE_BROWSER_XSS_FILTER`
 * :setting:`SECURE_CONTENT_TYPE_NOSNIFF`
+* :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY`
 * :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS`
 * :setting:`SECURE_HSTS_PRELOAD`
 * :setting:`SECURE_HSTS_SECONDS`
@@ -354,6 +355,43 @@ this setting are:
 
     __ https://w3c.github.io/webappsec-referrer-policy/#unknown-policy-values
 
+.. _cross-origin-opener-policy:
+
+Cross-Origin Opener Policy
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. versionadded:: 4.0
+
+Some browsers have the ability to isolate top-level windows from other
+documents by putting them in a separate browsing context group based on the
+value of the `Cross-Origin Opener Policy`__ (COOP) header. If a document that
+is isolated in this way opens a cross-origin popup window, the popup’s
+``window.opener`` property will be ``null``. Isolating windows using COOP is a
+defense-in-depth protection against cross-origin attacks, especially those like
+Spectre which allowed exfiltration of data loaded into a shared browsing
+context.
+
+__ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
+
+``SecurityMiddleware`` can set the ``Cross-Origin-Opener-Policy`` header for
+you, based on the :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY` setting. The
+valid values for this setting are:
+
+``same-origin``
+    Isolates the browsing context exclusively to same-origin documents.
+    Cross-origin documents are not loaded in the same browsing context. This
+    is the default and most secure option.
+
+``same-origin-allow-popups``
+    Isolates the browsing context to same-origin documents or those which
+    either don't set COOP or which opt out of isolation by setting a COOP of
+    ``unsafe-none``.
+
+``unsafe-none``
+    Allows the document to be added to its opener's browsing context group
+    unless the opener itself has a COOP of ``same-origin`` or
+    ``same-origin-allow-popups``.
+
 .. _x-content-type-options:
 
 ``X-Content-Type-Options: nosniff``

docs/ref/settings.txt

@@ -2262,6 +2262,20 @@ If ``True``, the :class:`~django.middleware.security.SecurityMiddleware`
 sets the :ref:`x-content-type-options` header on all responses that do not
 already have it.
 
+.. setting:: SECURE_CROSS_ORIGIN_OPENER_POLICY
+
+``SECURE_CROSS_ORIGIN_OPENER_POLICY``
+-------------------------------------
+
+.. versionadded:: 4.0
+
+Default: ``'same-origin'``
+
+Unless set to ``None``, the
+:class:`~django.middleware.security.SecurityMiddleware` sets the
+:ref:`cross-origin-opener-policy` header on all responses that do not already
+have it to the value provided.
+
 .. setting:: SECURE_HSTS_INCLUDE_SUBDOMAINS
 
 ``SECURE_HSTS_INCLUDE_SUBDOMAINS``
@@ -3599,6 +3613,7 @@ HTTP
 
   * :setting:`SECURE_BROWSER_XSS_FILTER`
   * :setting:`SECURE_CONTENT_TYPE_NOSNIFF`
+  * :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY`
   * :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS`
   * :setting:`SECURE_HSTS_PRELOAD`
   * :setting:`SECURE_HSTS_SECONDS`

docs/releases/4.0.txt

@@ -229,7 +229,11 @@ Models
 Requests and Responses
 ~~~~~~~~~~~~~~~~~~~~~~
 
-* ...
+* The :class:`~django.middleware.security.SecurityMiddleware` now adds the
+  :ref:`Cross-Origin Opener Policy <cross-origin-opener-policy>` header with a
+  value of ``'same-origin'`` to prevent cross-origin popups from sharing the
+  same browsing context. You can prevent this header from being added by
+  setting the :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY` setting to ``None``.
 
 Security
 ~~~~~~~~

docs/spelling_wordlist

@@ -204,6 +204,7 @@ Ess
 ETag
 ETags
 exe
+exfiltration
 extensibility
 Facebook
 fallback
@@ -608,6 +609,7 @@ sortable
 spam
 spammers
 spatialite
+Spectre
 Springmeyer
 SQL
 ssi

docs/topics/security.txt

@@ -213,6 +213,19 @@ protect the privacy of your users, restricting under which circumstances the
 ``Referer`` header is set. See :ref:`the referrer policy section of the
 security middleware reference <referrer-policy>` for details.
 
+Cross-origin opener policy
+==========================
+
+.. versionadded:: 4.0
+
+The cross-origin opener policy (COOP) header allows browsers to isolate a
+top-level window from other documents by putting them in a different context
+group so that they cannot directly interact with the top-level window. If a
+document protected by COOP opens a cross-origin popup window, the popup’s
+``window.opener`` property will be ``null``. COOP protects against cross-origin
+attacks. See :ref:`the cross-origin opener policy section of the security
+middleware reference <cross-origin-opener-policy>` for details.
+
 Session security
 ================