Add missing headers

benches/src/header_map/basic.rs

@@ -549,6 +549,9 @@ const STD: &'static [HeaderName] = &[
     CONTENT_SECURITY_POLICY_REPORT_ONLY,
     CONTENT_TYPE,
     COOKIE,
+    CROSS_ORIGIN_EMBEDDER_POLICY,
+    CROSS_ORIGIN_OPENER_POLICY,
+    CROSS_ORIGIN_RESOURCE_POLICY,
     DNT,
     DATE,
     ETAG,

benches/src/header_name.rs

@@ -115,6 +115,9 @@ fn make_all_known_headers() -> Vec<Vec<u8>> {
     b"X-Frame-Options".to_vec(),
     // common_non_standard_response
     b"Content-Security-Policy".to_vec(),
+    b"Cross-Origin-Embedder-Policy".to_vec(),
+    b"Cross-Origin-Opener-Policy".to_vec(),
+    b"Cross-Origin-Resource-Policy".to_vec(),
     b"Refresh".to_vec(),
     b"Status".to_vec(),
     b"Timing-Allow-Origin".to_vec(),
@@ -238,6 +241,9 @@ static ALL_KNOWN_HEADERS: &[&str] = &[
     "x-frame-options",
     // common_non_standard_response
     "content-security-policy",
+    "cross-origin-embedder-policy",
+    "cross-origin-opener-policy",
+    "cross-origin-resource-policy",
     "refresh",
     "status",
     "timing-allow-origin",

benches/src/header_name2.rs

@@ -29,6 +29,7 @@ const STANDARD_HEADERS_BY_SIZE: &[&str] = &[
     "content-security-policy",
     "sec-websocket-extensions",
     "strict-transport-security",
+    "cross-origin-opener-policy",
     "access-control-allow-origin",
     "access-control-allow-headers",
     "access-control-expose-headers",

src/header/mod.rs

@@ -116,6 +116,9 @@ pub use self::name::{
     CONTENT_SECURITY_POLICY_REPORT_ONLY,
     CONTENT_TYPE,
     COOKIE,
+    CROSS_ORIGIN_EMBEDDER_POLICY,
+    CROSS_ORIGIN_OPENER_POLICY,
+    CROSS_ORIGIN_RESOURCE_POLICY,
     DNT,
     DATE,
     ETAG,

src/header/name.rs

@@ -476,6 +476,34 @@ standard_headers! {
     /// the browser are set to block them, for example.
     (Cookie, COOKIE, b"cookie");
 
+    /// The HTTP Cross-Origin-Embedder-Policy (COEP) response header configures
+    /// embedding cross-origin resources into the document.
+    ///
+    /// You can only access certain features like SharedArrayBuffer objects or
+    /// Performance.now() with unthrottled timers, if your document has a COEP
+    /// header with a value of require-corp or credentialless set.
+    (CrossOriginEmbedderPolicy,CROSS_ORIGIN_EMBEDDER_POLICY,b"cross-origin-embedder-policy");
+
+    /// The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you
+    /// to ensure a top-level document does not share a browsing context group
+    /// with cross-origin documents.
+    ///
+    /// COOP will process-isolate your document and potential attackers can't
+    /// access your global object if they were to open it in a popup,
+    /// preventing a set of cross-origin attacks dubbed XS-Leaks.
+    ///
+    /// If a cross-origin document with COOP is opened in a new window, the
+    /// opening document will not have a reference to it, and the
+    /// window.opener property of the new window will be null. This allows
+    /// you to have more control over references to a window than
+    /// rel=noopener, which only affects outgoing navigations.
+    (CrossOriginOpenerPolicy,CROSS_ORIGIN_OPENER_POLICY,b"cross-origin-opener-policy");
+
+    /// The HTTP Cross-Origin-Resource-Policy response header conveys a
+    /// desire that the browser blocks no-cors cross-origin/cross-site
+    /// requests to the given resource.
+    (CrossOriginResourcePolicy,CROSS_ORIGIN_RESOURCE_POLICY,b"cross-origin-resource-policy");
+
     /// Indicates the client's tracking preference.
     ///
     /// This header lets users indicate whether they would prefer privacy rather

tests/header_map.rs

@@ -359,6 +359,9 @@ const STD: &'static [HeaderName] = &[
     CONTENT_SECURITY_POLICY_REPORT_ONLY,
     CONTENT_TYPE,
     COOKIE,
+    CROSS_ORIGIN_EMBEDDER_POLICY,
+    CROSS_ORIGIN_OPENER_POLICY,
+    CROSS_ORIGIN_RESOURCE_POLICY,
     DNT,
     DATE,
     ETAG,

tests/header_map_fuzz.rs

@@ -285,6 +285,9 @@ fn gen_header_name(g: &mut StdRng) -> HeaderName {
         header::CONTENT_SECURITY_POLICY_REPORT_ONLY,
         header::CONTENT_TYPE,
         header::COOKIE,
+        header::CROSS_ORIGIN_EMBEDDER_POLICY,
+        header::CROSS_ORIGIN_OPENER_POLICY,
+        header::CROSS_ORIGIN_RESOURCE_POLICY,
         header::DNT,
         header::DATE,
         header::ETAG,

util/src/main.rs

@@ -407,6 +407,40 @@ standard_headers! {
     "#,
     "cookie";
 
+    r#"
+    /// The HTTP Cross-Origin-Embedder-Policy (COEP) response header configures
+    /// embedding cross-origin resources into the document.
+    /// 
+    /// You can only access certain features like SharedArrayBuffer objects or 
+    /// Performance.now() with unthrottled timers, if your document has a COEP 
+    /// header with a value of require-corp or credentialless set.
+    "#,
+    "cross-origin-embedder-policy";
+
+    r#"
+    /// The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you 
+    /// to ensure a top-level document does not share a browsing context group
+    /// with cross-origin documents.
+    ///
+    /// COOP will process-isolate your document and potential attackers can't
+    /// access your global object if they were to open it in a popup, 
+    /// preventing a set of cross-origin attacks dubbed XS-Leaks.
+    ///
+    /// If a cross-origin document with COOP is opened in a new window, the
+    /// opening document will not have a reference to it, and the
+    /// window.opener property of the new window will be null. This allows
+    /// you to have more control over references to a window than
+    /// rel=noopener, which only affects outgoing navigations.
+    "#,
+    "cross-origin-opener-policy";
+
+    r#"
+    /// The HTTP Cross-Origin-Resource-Policy response header conveys a
+    /// desire that the browser blocks no-cors cross-origin/cross-site
+    /// requests to the given resource.
+    "#,
+    "cross-origin-resource-policy";
+
     r#"
     /// Indicates the client's tracking preference.
     ///