diff --git a/benches/src/header_map/basic.rs b/benches/src/header_map/basic.rs index 8c198a02..e42632f6 100644 --- a/benches/src/header_map/basic.rs +++ b/benches/src/header_map/basic.rs @@ -549,6 +549,9 @@ const STD: &'static [HeaderName] = &[ CONTENT_SECURITY_POLICY_REPORT_ONLY, CONTENT_TYPE, COOKIE, + CROSS_ORIGIN_EMBEDDER_POLICY, + CROSS_ORIGIN_OPENER_POLICY, + CROSS_ORIGIN_RESOURCE_POLICY, DNT, DATE, ETAG, diff --git a/benches/src/header_name.rs b/benches/src/header_name.rs index 4249f987..5b50dc45 100644 --- a/benches/src/header_name.rs +++ b/benches/src/header_name.rs @@ -115,6 +115,9 @@ fn make_all_known_headers() -> Vec> { b"X-Frame-Options".to_vec(), // common_non_standard_response b"Content-Security-Policy".to_vec(), + b"Cross-Origin-Embedder-Policy".to_vec(), + b"Cross-Origin-Opener-Policy".to_vec(), + b"Cross-Origin-Resource-Policy".to_vec(), b"Refresh".to_vec(), b"Status".to_vec(), b"Timing-Allow-Origin".to_vec(), @@ -238,6 +241,9 @@ static ALL_KNOWN_HEADERS: &[&str] = &[ "x-frame-options", // common_non_standard_response "content-security-policy", + "cross-origin-embedder-policy", + "cross-origin-opener-policy", + "cross-origin-resource-policy", "refresh", "status", "timing-allow-origin", diff --git a/benches/src/header_name2.rs b/benches/src/header_name2.rs index 4562fd66..30bbd050 100644 --- a/benches/src/header_name2.rs +++ b/benches/src/header_name2.rs @@ -29,6 +29,7 @@ const STANDARD_HEADERS_BY_SIZE: &[&str] = &[ "content-security-policy", "sec-websocket-extensions", "strict-transport-security", + "cross-origin-opener-policy", "access-control-allow-origin", "access-control-allow-headers", "access-control-expose-headers", diff --git a/src/header/mod.rs b/src/header/mod.rs index 5d405767..70f3dc64 100644 --- a/src/header/mod.rs +++ b/src/header/mod.rs @@ -116,6 +116,9 @@ pub use self::name::{ CONTENT_SECURITY_POLICY_REPORT_ONLY, CONTENT_TYPE, COOKIE, + CROSS_ORIGIN_EMBEDDER_POLICY, + CROSS_ORIGIN_OPENER_POLICY, + CROSS_ORIGIN_RESOURCE_POLICY, DNT, DATE, ETAG, diff --git a/src/header/name.rs b/src/header/name.rs index 3d563f4e..5caeffb1 100644 --- a/src/header/name.rs +++ b/src/header/name.rs @@ -476,6 +476,34 @@ standard_headers! { /// the browser are set to block them, for example. (Cookie, COOKIE, b"cookie"); + /// The HTTP Cross-Origin-Embedder-Policy (COEP) response header configures + /// embedding cross-origin resources into the document. + /// + /// You can only access certain features like SharedArrayBuffer objects or + /// Performance.now() with unthrottled timers, if your document has a COEP + /// header with a value of require-corp or credentialless set. + (CrossOriginEmbedderPolicy,CROSS_ORIGIN_EMBEDDER_POLICY,b"cross-origin-embedder-policy"); + + /// The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you + /// to ensure a top-level document does not share a browsing context group + /// with cross-origin documents. + /// + /// COOP will process-isolate your document and potential attackers can't + /// access your global object if they were to open it in a popup, + /// preventing a set of cross-origin attacks dubbed XS-Leaks. + /// + /// If a cross-origin document with COOP is opened in a new window, the + /// opening document will not have a reference to it, and the + /// window.opener property of the new window will be null. This allows + /// you to have more control over references to a window than + /// rel=noopener, which only affects outgoing navigations. + (CrossOriginOpenerPolicy,CROSS_ORIGIN_OPENER_POLICY,b"cross-origin-opener-policy"); + + /// The HTTP Cross-Origin-Resource-Policy response header conveys a + /// desire that the browser blocks no-cors cross-origin/cross-site + /// requests to the given resource. + (CrossOriginResourcePolicy,CROSS_ORIGIN_RESOURCE_POLICY,b"cross-origin-resource-policy"); + /// Indicates the client's tracking preference. /// /// This header lets users indicate whether they would prefer privacy rather diff --git a/tests/header_map.rs b/tests/header_map.rs index 9859b0a8..c31d8905 100644 --- a/tests/header_map.rs +++ b/tests/header_map.rs @@ -359,6 +359,9 @@ const STD: &'static [HeaderName] = &[ CONTENT_SECURITY_POLICY_REPORT_ONLY, CONTENT_TYPE, COOKIE, + CROSS_ORIGIN_EMBEDDER_POLICY, + CROSS_ORIGIN_OPENER_POLICY, + CROSS_ORIGIN_RESOURCE_POLICY, DNT, DATE, ETAG, diff --git a/tests/header_map_fuzz.rs b/tests/header_map_fuzz.rs index 40db0494..dd85e523 100644 --- a/tests/header_map_fuzz.rs +++ b/tests/header_map_fuzz.rs @@ -285,6 +285,9 @@ fn gen_header_name(g: &mut StdRng) -> HeaderName { header::CONTENT_SECURITY_POLICY_REPORT_ONLY, header::CONTENT_TYPE, header::COOKIE, + header::CROSS_ORIGIN_EMBEDDER_POLICY, + header::CROSS_ORIGIN_OPENER_POLICY, + header::CROSS_ORIGIN_RESOURCE_POLICY, header::DNT, header::DATE, header::ETAG, diff --git a/util/src/main.rs b/util/src/main.rs index 915cf0b8..fb404d49 100644 --- a/util/src/main.rs +++ b/util/src/main.rs @@ -407,6 +407,40 @@ standard_headers! { "#, "cookie"; + r#" + /// The HTTP Cross-Origin-Embedder-Policy (COEP) response header configures + /// embedding cross-origin resources into the document. + /// + /// You can only access certain features like SharedArrayBuffer objects or + /// Performance.now() with unthrottled timers, if your document has a COEP + /// header with a value of require-corp or credentialless set. + "#, + "cross-origin-embedder-policy"; + + r#" + /// The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you + /// to ensure a top-level document does not share a browsing context group + /// with cross-origin documents. + /// + /// COOP will process-isolate your document and potential attackers can't + /// access your global object if they were to open it in a popup, + /// preventing a set of cross-origin attacks dubbed XS-Leaks. + /// + /// If a cross-origin document with COOP is opened in a new window, the + /// opening document will not have a reference to it, and the + /// window.opener property of the new window will be null. This allows + /// you to have more control over references to a window than + /// rel=noopener, which only affects outgoing navigations. + "#, + "cross-origin-opener-policy"; + + r#" + /// The HTTP Cross-Origin-Resource-Policy response header conveys a + /// desire that the browser blocks no-cors cross-origin/cross-site + /// requests to the given resource. + "#, + "cross-origin-resource-policy"; + r#" /// Indicates the client's tracking preference. ///