fix: allow cross-origin popups to access opener's browser context

benefits/settings.py

@@ -114,6 +114,9 @@ def _filter_empty(ls):
 
 SECURE_BROWSER_XSS_FILTER = True
 
+# required so that cross-origin pop-ups (like the enrollment overlay) have access to parent window context
+SECURE_CROSS_ORIGIN_OPENER_POLICY = "same-origin-allow-popups"
+
 # the NGINX reverse proxy sits in front of the application in deployed environments
 # SSL terminates before getting to Django, and NGINX adds this header to indicate
 # if the original request was secure or not