feat: cors support for embedder and opener

Refer: #202

Author: LeoBorai

fixtures/config.toml

@@ -21,6 +21,8 @@ port = 7878
 # max_age = 600
 # request_headers = ["x-app-version"]
 # request_method = "GET"
+# embedder_policy = "require-corp"
+# opener_policy = "same-origin"
 
 # [compression]
 # gzip = true

src/addon/cors.rs

@@ -79,6 +79,18 @@ pub struct Cors {
     /// preflight request is always an OPTIONS and doesn't use the same method as
     /// the actual request.
     pub(crate) request_method: Option<String>,
+    /// The HTTP Cross-Origin-Embedder-Policy (COEP) response header prevents a
+    /// document from loading any cross-origin resources that don't explicitly
+    /// grant the document permission (using CORP or CORS).
+    ///
+    /// Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
+    pub(crate) embedder_policy: Option<String>,
+    /// The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to
+    /// ensure a top-level document does not share a browsing context group with
+    /// cross-origin documents.
+    ///
+    /// Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
+    pub(crate) opener_policy: Option<String>,
 }
 
 impl Cors {
@@ -156,6 +168,32 @@ impl Cors {
             ));
         }
 
+        if let Some(embedder_policy) = cors.embedder_policy {
+            // TODO: Validate possible directives
+            //
+            // Cross-Origin-Embedder-Policy: unsafe-none | require-corp
+            //
+            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy#directives
+            cors_headers.push((
+                HeaderName::from_static("Cross-Origin-Embedder-Policy"),
+                HeaderValue::from_str(&embedder_policy.as_str()).unwrap(),
+            ));
+        }
+
+        if let Some(opener_policy) = cors.opener_policy {
+            // TODO: Validate possible directives
+            //
+            // Cross-Origin-Opener-Policy: unsafe-none
+            // Cross-Origin-Opener-Policy: same-origin-allow-popups
+            // Cross-Origin-Opener-Policy: same-origin
+            //
+            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy#directives
+            cors_headers.push((
+                HeaderName::from_static("Cross-Origin-Opener-Policy"),
+                HeaderValue::from_str(&opener_policy.as_str()).unwrap(),
+            ));
+        }
+
         cors_headers
     }
 }
@@ -206,6 +244,16 @@ impl CorsBuilder {
         self
     }
 
+    pub fn embedder_policy(mut self, embedder_policy: String) -> Self {
+        self.config.embedder_policy = Some(embedder_policy);
+        self
+    }
+
+    pub fn opener_policy(mut self, opener_policy: String) -> Self {
+        self.config.opener_policy = Some(opener_policy);
+        self
+    }
+
     pub fn build(self) -> Cors {
         self.config
     }
@@ -249,6 +297,14 @@ impl TryFrom<CorsConfig> for Cors {
             builder = builder.request_method(request_method);
         }
 
+        if let Some(embedder_policy) = value.embedder_policy {
+            builder = builder.embedder_policy(embedder_policy);
+        }
+
+        if let Some(opener_policy) = value.opener_policy {
+            builder = builder.opener_policy(opener_policy);
+        }
+
         Ok(builder.build())
     }
 }
@@ -360,6 +416,7 @@ mod tests {
             max_age: Some(max_age),
             request_headers: Some(request_headers.clone()),
             request_method: Some(request_method.clone()),
+            ..Default::default()
         };
         let cors = Cors {
             allow_credentials: true,
@@ -370,6 +427,7 @@ mod tests {
             max_age: Some(max_age),
             request_headers: Some(request_headers),
             request_method: Some(request_method),
+            ..Default::default()
         };
 
         assert_eq!(cors, Cors::try_from(config).unwrap());

src/config/cors.rs

@@ -10,6 +10,8 @@ pub struct CorsConfig {
     pub max_age: Option<u64>,
     pub request_headers: Option<Vec<String>>,
     pub request_method: Option<String>,
+    pub embedder_policy: Option<String>,
+    pub opener_policy: Option<String>,
 }
 
 impl CorsConfig {
@@ -31,7 +33,22 @@ impl CorsConfig {
             ]),
             allow_credentials: false,
             max_age: Some(43200),
+            ..Default::default()
+        }
+    }
+}
+
+impl Default for CorsConfig {
+    fn default() -> Self {
+        Self {
+            allow_origin: None,
+            allow_headers: None,
+            allow_credentials: false,
+            allow_methods: None,
+            embedder_policy: None,
             expose_headers: None,
+            max_age: None,
+            opener_policy: None,
             request_headers: None,
             request_method: None,
         }

src/config/file.rs

@@ -190,10 +190,7 @@ mod tests {
                 "DELETE".to_string(),
             ]),
             allow_origin: Some(String::from("example.com")),
-            expose_headers: None,
-            max_age: None,
-            request_headers: None,
-            request_method: None,
+            ..Default::default()
         };
         let config = ConfigFile::parse_toml(file_contents).unwrap();
         let root_dir = Some(std::env::current_dir().unwrap());
@@ -219,6 +216,8 @@ mod tests {
             max_age = 2800
             request_headers = ["x-app-version"]
             request_method = "GET"
+            embedder_policy = "require-corp"
+            opener_policy = "same-origin"
         "#;
         let host = IpAddr::V4(Ipv4Addr::new(0, 0, 0, 0));
         let port = 8080;
@@ -242,6 +241,8 @@ mod tests {
             max_age: Some(2800),
             request_headers: Some(vec!["x-app-version".to_string()]),
             request_method: Some(String::from("GET")),
+            embedder_policy: Some(String::from("require-corp")),
+            opener_policy: Some(String::from("same-origin")),
         };
         let config = ConfigFile::parse_toml(file_contents).unwrap();