Add Cross-Origin-Opener-Policy header to login pages

## Cross-Origin-Opener-Policy header on login pages

### Problem
It seems like by default the 0Auth Autorize page and perhaps other login pages do not have the [Cross-Origin-Opener-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) header present making the pages vulnerable to [cross-site leaks](https://xsleaks.dev/docs/defenses/opt-in/coop/).
Combined with social engineering, an attacker could get enough information and control from the child window to take over someone's account by redirecting to the wrong 0Auth app.

### Solution
Add Cross-Origin-Opener-Policy: same-origin header to login pages

### Alternatives/workarounds
One alternative would be to inject the following in all login pages to close the application whenever it's opened from any other window
    <script>
        if (window?.opener) {
            window.close();
        }
    </script>
The second one (probably the most secure and clean) is to use a K8 egress to add the header on all login pages; However the latter requires a little more complex deployment setup.


### Related
- https://github.com/FusionAuth/fusionauth-issues/issues/1510
- https://github.com/FusionAuth/fusionauth-issues/issues/2095
- https://github.com/FusionAuth/fusionauth-issues/issues/2847

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add Cross-Origin-Opener-Policy header to login pages #2847

Cross-Origin-Opener-Policy header on login pages

Problem

Solution

Alternatives/workarounds

Related

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Add Cross-Origin-Opener-Policy header to login pages #2847

Description

Cross-Origin-Opener-Policy header on login pages

Problem

Solution

Alternatives/workarounds

Related

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions