Implement Cross-Origin-Opener-Policy Header

Addresses issue: #6176

install_files/ansible-base/roles/app/templates/sites-available/focal/journalist.conf

@@ -33,6 +33,7 @@ Header onsuccess unset X-Download-Options
 Header always set X-Download-Options "noopen"
 Header onsuccess unset Content-Security-Policy
 Header always set Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';"
+Header set Cross-Origin-Opener-Policy "same-origin"
 
 # Limit the max submitted size of requests.
 LimitRequestBody 524288000

install_files/ansible-base/roles/app/templates/sites-available/focal/source.conf

@@ -54,6 +54,7 @@ Header onsuccess unset X-Download-Options
 Header always set X-Download-Options "noopen"
 Header onsuccess unset X-Content-Type-Options
 Header always set X-Content-Type-Options "nosniff"
+Header set Cross-Origin-Opener-Policy "same-origin"
 
 Header unset Etag
 

molecule/testinfra/vars/app-qubes-staging.yml

@@ -5,6 +5,8 @@ wanted_apache_headers:
   X-Content-Type-Options: nosniff
   X-Download-Options: noopen
   Content-Security-Policy: "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';"
+  Cross-Origin-Opener-Policy: "same-origin"
+
 
 securedrop_venv: /opt/venvs/securedrop-app-code
 securedrop_venv_bin: "{{ securedrop_venv }}/bin"

molecule/testinfra/vars/app-staging.yml

@@ -5,6 +5,7 @@ wanted_apache_headers:
   X-Content-Type-Options: nosniff
   X-Download-Options: noopen
   Content-Security-Policy: "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';"
+  Cross-Origin-Opener-Policy: "same-origin"
 
 securedrop_venv: /opt/venvs/securedrop-app-code
 securedrop_venv_bin: /opt/venvs/securedrop-app-code/bin

molecule/testinfra/vars/prod.yml

@@ -5,6 +5,7 @@ wanted_apache_headers:
   X-Content-Type-Options: nosniff
   X-Download-Options: noopen
   Content-Security-Policy: "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';"
+  Cross-Origin-Opener-Policy: "same-origin"
 
 securedrop_venv: /opt/venvs/securedrop-app-code
 securedrop_venv_bin: "/opt/venvs/securedrop-app-code/bin"

molecule/testinfra/vars/prodVM.yml

@@ -5,6 +5,7 @@ wanted_apache_headers:
   X-Content-Type-Options: nosniff
   X-Download-Options: noopen
   Content-Security-Policy: "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';"
+  Cross-Origin-Opener-Policy: "same-origin"
 
 securedrop_venv: /opt/venvs/securedrop-app-code
 securedrop_venv_bin: "/opt/venvs/securedrop-app-code/bin"

molecule/testinfra/vars/qubes-staging.yml

@@ -5,6 +5,7 @@ wanted_apache_headers:
   X-Content-Type-Options: nosniff
   X-Download-Options: noopen
   Content-Security-Policy: "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';"
+  Cross-Origin-Opener-Policy: "same-origin"
 
 securedrop_venv: /opt/venvs/securedrop-app-code
 securedrop_venv_bin: "/opt/venvs/securedrop-app-code/bin"

molecule/testinfra/vars/staging.yml

@@ -5,6 +5,7 @@ wanted_apache_headers:
   X-Content-Type-Options: nosniff
   X-Download-Options: noopen
   Content-Security-Policy: "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';"
+  Cross-Origin-Opener-Policy: "same-origin"
 
 securedrop_venv: /opt/venvs/securedrop-app-code
 securedrop_venv_bin: /opt/venvs/securedrop-app-code/bin