feat: cors support for embedder and opener

fixtures/config.toml

@@ -12,15 +12,17 @@ port = 7878
 # cert = "cert.pem"
 # key = "key.pem"
 
-# [cors]
-# allow_credentials = false
-# allow_headers = ["content-type", "authorization", "content-length"]
-# allow_methods = ["GET", "PATCH", "POST", "PUT", "DELETE"]
-# allow_origin = "example.com"
-# expose_headers = ["*", "authorization"]
-# max_age = 600
-# request_headers = ["x-app-version"]
-# request_method = "GET"
+[cors]
+allow_credentials = false
+allow_headers = ["content-type", "authorization", "content-length"]
+allow_methods = ["GET", "PATCH", "POST", "PUT", "DELETE"]
+allow_origin = "example.com"
+expose_headers = ["*", "authorization"]
+max_age = 600
+request_headers = ["x-app-version"]
+request_method = "GET"
+embedder_policy = "require-corp"
+opener_policy = "same-origin"
 
 # [compression]
 # gzip = true

src/addon/cors.rs

@@ -79,6 +79,18 @@ pub struct Cors {
     /// preflight request is always an OPTIONS and doesn't use the same method as
     /// the actual request.
     pub(crate) request_method: Option<String>,
+    /// The HTTP Cross-Origin-Embedder-Policy (COEP) response header prevents a
+    /// document from loading any cross-origin resources that don't explicitly
+    /// grant the document permission (using CORP or CORS).
+    ///
+    /// Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
+    pub(crate) embedder_policy: Option<String>,
+    /// The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to
+    /// ensure a top-level document does not share a browsing context group with
+    /// cross-origin documents.
+    ///
+    /// Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
+    pub(crate) opener_policy: Option<String>,
 }
 
 impl Cors {
@@ -156,6 +168,32 @@ impl Cors {
             ));
         }
 
+        if let Some(embedder_policy) = cors.embedder_policy {
+            // TODO: Validate possible directives
+            //
+            // Cross-Origin-Embedder-Policy: unsafe-none | require-corp
+            //
+            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy#directives
+            cors_headers.push((
+                HeaderName::from_static("Cross-Origin-Embedder-Policy"),
+                HeaderValue::from_str(embedder_policy.as_str()).unwrap(),
+            ));
+        }
+
+        if let Some(opener_policy) = cors.opener_policy {
+            // TODO: Validate possible directives
+            //
+            // Cross-Origin-Opener-Policy: unsafe-none
+            // Cross-Origin-Opener-Policy: same-origin-allow-popups
+            // Cross-Origin-Opener-Policy: same-origin
+            //
+            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy#directives
+            cors_headers.push((
+                HeaderName::from_static("Cross-Origin-Opener-Policy"),
+                HeaderValue::from_str(opener_policy.as_str()).unwrap(),
+            ));
+        }
+
         cors_headers
     }
 }
@@ -206,6 +244,16 @@ impl CorsBuilder {
         self
     }
 
+    pub fn embedder_policy(mut self, embedder_policy: String) -> Self {
+        self.config.embedder_policy = Some(embedder_policy);
+        self
+    }
+
+    pub fn opener_policy(mut self, opener_policy: String) -> Self {
+        self.config.opener_policy = Some(opener_policy);
+        self
+    }
+
     pub fn build(self) -> Cors {
         self.config
     }
@@ -249,6 +297,14 @@ impl TryFrom<CorsConfig> for Cors {
             builder = builder.request_method(request_method);
         }
 
+        if let Some(embedder_policy) = value.embedder_policy {
+            builder = builder.embedder_policy(embedder_policy);
+        }
+
+        if let Some(opener_policy) = value.opener_policy {
+            builder = builder.opener_policy(opener_policy);
+        }
+
         Ok(builder.build())
     }
 }
@@ -360,6 +416,7 @@ mod tests {
             max_age: Some(max_age),
             request_headers: Some(request_headers.clone()),
             request_method: Some(request_method.clone()),
+            ..Default::default()
         };
         let cors = Cors {
             allow_credentials: true,
@@ -370,6 +427,7 @@ mod tests {
             max_age: Some(max_age),
             request_headers: Some(request_headers),
             request_method: Some(request_method),
+            ..Default::default()
         };
 
         assert_eq!(cors, Cors::try_from(config).unwrap());

src/config/cors.rs

@@ -1,6 +1,7 @@
 use serde::Deserialize;
 
 #[derive(Clone, Debug, Deserialize, PartialEq, Eq)]
+#[derive(Default)]
 pub struct CorsConfig {
     pub allow_credentials: bool,
     pub allow_headers: Option<Vec<String>>,
@@ -10,6 +11,8 @@ pub struct CorsConfig {
     pub max_age: Option<u64>,
     pub request_headers: Option<Vec<String>>,
     pub request_method: Option<String>,
+    pub embedder_policy: Option<String>,
+    pub opener_policy: Option<String>,
 }
 
 impl CorsConfig {
@@ -31,9 +34,9 @@ impl CorsConfig {
             ]),
             allow_credentials: false,
             max_age: Some(43200),
-            expose_headers: None,
-            request_headers: None,
-            request_method: None,
+            ..Default::default()
         }
     }
 }
+
+

src/config/file.rs

@@ -190,10 +190,7 @@ mod tests {
                 "DELETE".to_string(),
             ]),
             allow_origin: Some(String::from("example.com")),
-            expose_headers: None,
-            max_age: None,
-            request_headers: None,
-            request_method: None,
+            ..Default::default()
         };
         let config = ConfigFile::parse_toml(file_contents).unwrap();
         let root_dir = Some(std::env::current_dir().unwrap());
@@ -219,6 +216,8 @@ mod tests {
             max_age = 2800
             request_headers = ["x-app-version"]
             request_method = "GET"
+            embedder_policy = "require-corp"
+            opener_policy = "same-origin"
         "#;
         let host = IpAddr::V4(Ipv4Addr::new(0, 0, 0, 0));
         let port = 8080;
@@ -242,6 +241,8 @@ mod tests {
             max_age: Some(2800),
             request_headers: Some(vec!["x-app-version".to_string()]),
             request_method: Some(String::from("GET")),
+            embedder_policy: Some(String::from("require-corp")),
+            opener_policy: Some(String::from("same-origin")),
         };
         let config = ConfigFile::parse_toml(file_contents).unwrap();