Merge pull request #11489 from overleaf/em-fix-paypal

Set COOP header to same-origin-allow-popups GitOrigin-RevId: c8c3751386addb307ee2caf59c228484e8e593c0
2025-04-20 02:03:48 +00:00 · 2023-01-26 14:39:10 -05:00 · 2023-01-26 14:39:10 -05:00 · 2dbc0e3b3d
commit 2dbc0e3b3d
parent dad1460d71
2 changed files with 4 additions and 1 deletions
--- a/services/web/app/src/infrastructure/Server.js
+++ b/services/web/app/src/infrastructure/Server.js
@ -272,6 +272,9 @@ webRouter.use(
    // Disabled because it's impractical to include every resource via CORS or
    // with the magic CORP header
    crossOriginEmbedderPolicy: false,
+    // We need to be able to share the context of some popups. For example,
+    // when Recurly opens Paypal in a popup.
+    crossOriginOpenerPolicy: { policy: 'same-origin-allow-popups' },
    // Disabled because it's not a security header and has possibly-unwanted
    // effects
    originAgentCluster: false,
--- a/services/web/test/acceptance/src/SecurityHeadersTests.js
+++ b/services/web/test/acceptance/src/SecurityHeadersTests.js
@ -23,7 +23,7 @@ const assert_has_common_headers = function (response) {
    'x-download-options': 'noopen',
    'x-xss-protection': '0',
    'cross-origin-resource-policy': 'same-origin',
-    'cross-origin-opener-policy': 'same-origin',
+    'cross-origin-opener-policy': 'same-origin-allow-popups',
    'x-content-type-options': 'nosniff',
    'x-permitted-cross-domain-policies': 'none',
    'referrer-policy': 'origin-when-cross-origin',