hyperium · 39zde · Oct 14, 2024 · Oct 14, 2024 · Oct 14, 2024 · Oct 14, 2024
diff --git a/benches/src/header_map/basic.rs b/benches/src/header_map/basic.rs
@@ -549,6 +549,9 @@ const STD: &'static [HeaderName] = &[
     CONTENT_SECURITY_POLICY_REPORT_ONLY,
     CONTENT_TYPE,
     COOKIE,
+    CROSS_ORIGIN_EMBEDDER_POLICY,
+    CROSS_ORIGIN_OPENER_POLICY,
+    CROSS_ORIGIN_RESOURCE_POLICY,
     DNT,
     DATE,
     ETAG,

diff --git a/benches/src/header_name.rs b/benches/src/header_name.rs
@@ -115,6 +115,9 @@ fn make_all_known_headers() -> Vec<Vec<u8>> {
     b"X-Frame-Options".to_vec(),
     // common_non_standard_response
     b"Content-Security-Policy".to_vec(),
+    b"Cross-Origin-Embedder-Policy".to_vec(),
+    b"Cross-Origin-Opener-Policy".to_vec(),
+    b"Cross-Origin-Resource-Policy".to_vec(),
     b"Refresh".to_vec(),
     b"Status".to_vec(),
     b"Timing-Allow-Origin".to_vec(),
@@ -238,6 +241,9 @@ static ALL_KNOWN_HEADERS: &[&str] = &[
     "x-frame-options",
     // common_non_standard_response
     "content-security-policy",
+    "cross-origin-embedder-policy",
+    "cross-origin-opener-policy",
+    "cross-origin-resource-policy",
     "refresh",
     "status",
     "timing-allow-origin",

diff --git a/benches/src/header_name2.rs b/benches/src/header_name2.rs
@@ -29,6 +29,7 @@ const STANDARD_HEADERS_BY_SIZE: &[&str] = &[
     "content-security-policy",
     "sec-websocket-extensions",
     "strict-transport-security",
+    "cross-origin-opener-policy",
     "access-control-allow-origin",
     "access-control-allow-headers",
     "access-control-expose-headers",

diff --git a/src/byte_str.rs b/src/byte_str.rs
@@ -31,7 +31,7 @@ impl ByteStr {
     ///
     /// ## Safety
     /// `bytes` must contain valid UTF-8. In a release build it is undefined
-    /// behaviour to call this with `bytes` that is not valid UTF-8.
+    /// behavior to call this with `bytes` that is not valid UTF-8.
     pub unsafe fn from_utf8_unchecked(bytes: Bytes) -> ByteStr {
         if cfg!(debug_assertions) {
             match str::from_utf8(&bytes) {

diff --git a/src/extensions.rs b/src/extensions.rs
@@ -215,7 +215,7 @@ impl Extensions {
         self.map.as_ref().map_or(true, |map| map.is_empty())
     }
 
-    /// Get the numer of extensions available.
+    /// Get the number of extensions available.
     ///
     /// # Example
     ///

diff --git a/src/header/mod.rs b/src/header/mod.rs
@@ -116,6 +116,9 @@ pub use self::name::{
     CONTENT_SECURITY_POLICY_REPORT_ONLY,
     CONTENT_TYPE,
     COOKIE,
+    CROSS_ORIGIN_EMBEDDER_POLICY,
+    CROSS_ORIGIN_OPENER_POLICY,
+    CROSS_ORIGIN_RESOURCE_POLICY,
     DNT,
     DATE,
     ETAG,

diff --git a/src/header/name.rs b/src/header/name.rs
@@ -476,6 +476,34 @@ standard_headers! {
     /// the browser are set to block them, for example.
     (Cookie, COOKIE, b"cookie");
 
+    /// The HTTP Cross-Origin-Embedder-Policy (COEP) response header configures
+    /// embedding cross-origin resources into the document.
+    ///
+    /// You can only access certain features like SharedArrayBuffer objects or
+    /// Performance.now() with unthrottled timers, if your document has a COEP
+    /// header with a value of require-corp or credentialless set.
+    (CrossOriginEmbedderPolicy,CROSS_ORIGIN_EMBEDDER_POLICY,b"cross-origin-embedder-policy");
+
+    /// The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you
+    /// to ensure a top-level document does not share a browsing context group
+    /// with cross-origin documents.
+    ///
+    /// COOP will process-isolate your document and potential attackers can't
+    /// access your global object if they were to open it in a popup,
+    /// preventing a set of cross-origin attacks dubbed XS-Leaks.
+    ///
+    /// If a cross-origin document with COOP is opened in a new window, the
+    /// opening document will not have a reference to it, and the
+    /// window.opener property of the new window will be null. This allows
+    /// you to have more control over references to a window than
+    /// rel=noopener, which only affects outgoing navigations.
+    (CrossOriginOpenerPolicy,CROSS_ORIGIN_OPENER_POLICY,b"cross-origin-opener-policy");
+
+    /// The HTTP Cross-Origin-Resource-Policy response header conveys a
+    /// desire that the browser blocks no-cors cross-origin/cross-site
+    /// requests to the given resource.
+    (CrossOriginResourcePolicy,CROSS_ORIGIN_RESOURCE_POLICY,b"cross-origin-resource-policy");
+
     /// Indicates the client's tracking preference.
     ///
     /// This header lets users indicate whether they would prefer privacy rather
@@ -1659,13 +1687,13 @@ const SCRATCH_BUF_OVERFLOW: usize = SCRATCH_BUF_SIZE + 1;
 fn uninit_u8_array() -> [MaybeUninit<u8>; SCRATCH_BUF_SIZE] {
     let arr = MaybeUninit::<[MaybeUninit<u8>; SCRATCH_BUF_SIZE]>::uninit();
     // Safety: assume_init() is claiming that an array of MaybeUninit<>
-    // has been initilized, but MaybeUninit<>'s do not require initilizaton.
+    // has been initialized, but MaybeUninit<>'s do not require initialization.
     unsafe { arr.assume_init() }
 }
 
-// Assuming all the elements are initilized, get a slice of them.
+// Assuming all the elements are initialized, get a slice of them.
 //
-// Safety: All elements of `slice` must be initilized to prevent
+// Safety: All elements of `slice` must be initialized to prevent
 // undefined behavior.
 unsafe fn slice_assume_init<T>(slice: &[MaybeUninit<T>]) -> &[T] {
     &*(slice as *const [MaybeUninit<T>] as *const [T])

diff --git a/src/uri/authority.rs b/src/uri/authority.rs
@@ -24,7 +24,7 @@ impl Authority {
     // Not public while `bytes` is unstable.
     pub(super) fn from_shared(s: Bytes) -> Result<Self, InvalidUri> {
         // Precondition on create_authority: trivially satisfied by the
-        // identity clousre
+        // identity closure
         create_authority(s, |s| s)
     }
 

diff --git a/src/uri/scheme.rs b/src/uri/scheme.rs
@@ -302,7 +302,7 @@ impl Scheme2<usize> {
                         // Return scheme
                         return Ok(Scheme2::Other(i));
                     }
-                    // Invald scheme character, abort
+                    // Invalid scheme character, abort
                     0 => break,
                     _ => {}
                 }
@@ -349,10 +349,10 @@ mod test {
 
     #[test]
     fn invalid_scheme_is_error() {
-        Scheme::try_from("my_funky_scheme").expect_err("Unexpectly valid Scheme");
+        Scheme::try_from("my_funky_scheme").expect_err("Unexpectedly valid Scheme");
 
         // Invalid UTF-8
-        Scheme::try_from([0xC0].as_ref()).expect_err("Unexpectly valid Scheme");
+        Scheme::try_from([0xC0].as_ref()).expect_err("Unexpectedly valid Scheme");
     }
 
     fn scheme(s: &str) -> Scheme {

diff --git a/tests/header_map.rs b/tests/header_map.rs
@@ -359,6 +359,9 @@ const STD: &'static [HeaderName] = &[
     CONTENT_SECURITY_POLICY_REPORT_ONLY,
     CONTENT_TYPE,
     COOKIE,
+    CROSS_ORIGIN_EMBEDDER_POLICY,
+    CROSS_ORIGIN_OPENER_POLICY,
+    CROSS_ORIGIN_RESOURCE_POLICY,
     DNT,
     DATE,
     ETAG,

diff --git a/tests/header_map_fuzz.rs b/tests/header_map_fuzz.rs
@@ -285,6 +285,9 @@ fn gen_header_name(g: &mut StdRng) -> HeaderName {
         header::CONTENT_SECURITY_POLICY_REPORT_ONLY,
         header::CONTENT_TYPE,
         header::COOKIE,
+        header::CROSS_ORIGIN_EMBEDDER_POLICY,
+        header::CROSS_ORIGIN_OPENER_POLICY,
+        header::CROSS_ORIGIN_RESOURCE_POLICY,
         header::DNT,
         header::DATE,
         header::ETAG,

diff --git a/util/src/main.rs b/util/src/main.rs
@@ -407,6 +407,40 @@ standard_headers! {
     "#,
     "cookie";
 
+    r#"
+    /// The HTTP Cross-Origin-Embedder-Policy (COEP) response header configures
+    /// embedding cross-origin resources into the document.
+    /// 
+    /// You can only access certain features like SharedArrayBuffer objects or 
+    /// Performance.now() with unthrottled timers, if your document has a COEP 
+    /// header with a value of require-corp or credentialless set.
+    "#,
+    "cross-origin-embedder-policy";
+
+    r#"
+    /// The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you 
+    /// to ensure a top-level document does not share a browsing context group
+    /// with cross-origin documents.
+    ///
+    /// COOP will process-isolate your document and potential attackers can't
+    /// access your global object if they were to open it in a popup, 
+    /// preventing a set of cross-origin attacks dubbed XS-Leaks.
+    ///
+    /// If a cross-origin document with COOP is opened in a new window, the
+    /// opening document will not have a reference to it, and the
+    /// window.opener property of the new window will be null. This allows
+    /// you to have more control over references to a window than
+    /// rel=noopener, which only affects outgoing navigations.
+    "#,
+    "cross-origin-opener-policy";
+
+    r#"
+    /// The HTTP Cross-Origin-Resource-Policy response header conveys a
+    /// desire that the browser blocks no-cors cross-origin/cross-site
+    /// requests to the given resource.
+    "#,
+    "cross-origin-resource-policy";
+
     r#"
     /// Indicates the client's tracking preference.
     ///