From 5269afe0782a527d4a63740e071791c1d9d759ce Mon Sep 17 00:00:00 2001 From: Max Batischev Date: Tue, 13 May 2025 16:00:59 +0300 Subject: [PATCH] Add Support Credentialless COEP Header Closes gh-16991 Signed-off-by: Max Batischev --- .../springframework/security/config/spring-security-7.0.rnc | 2 +- .../springframework/security/config/spring-security-7.0.xsd | 1 + .../writers/CrossOriginEmbedderPolicyHeaderWriter.java | 6 ++++-- .../CrossOriginEmbedderPolicyServerHttpHeadersWriter.java | 6 ++++-- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-7.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-7.0.rnc index ec51246b6fe..15d15b191b7 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-7.0.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-7.0.rnc @@ -1308,7 +1308,7 @@ cross-origin-embedder-policy = element cross-origin-embedder-policy {cross-origin-embedder-policy-options.attlist,empty} cross-origin-embedder-policy-options.attlist &= ## The policies for the Cross-Origin-Embedder-Policy header. - attribute policy {"unsafe-none","require-corp"}? + attribute policy {"unsafe-none","require-corp", "credentialless"}? cross-origin-resource-policy = ## Adds support for Cross-Origin-Resource-Policy header diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-7.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-7.0.xsd index e254b8488ea..34556b5549a 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-7.0.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-7.0.xsd @@ -3668,6 +3668,7 @@ + diff --git a/web/src/main/java/org/springframework/security/web/header/writers/CrossOriginEmbedderPolicyHeaderWriter.java b/web/src/main/java/org/springframework/security/web/header/writers/CrossOriginEmbedderPolicyHeaderWriter.java index d7e2a6dde58..7d9050a8e10 100644 --- a/web/src/main/java/org/springframework/security/web/header/writers/CrossOriginEmbedderPolicyHeaderWriter.java +++ b/web/src/main/java/org/springframework/security/web/header/writers/CrossOriginEmbedderPolicyHeaderWriter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -58,7 +58,9 @@ public enum CrossOriginEmbedderPolicy { UNSAFE_NONE("unsafe-none"), - REQUIRE_CORP("require-corp"); + REQUIRE_CORP("require-corp"), + + CREDENTIALLESS("credentialless"); private final String policy; diff --git a/web/src/main/java/org/springframework/security/web/server/header/CrossOriginEmbedderPolicyServerHttpHeadersWriter.java b/web/src/main/java/org/springframework/security/web/server/header/CrossOriginEmbedderPolicyServerHttpHeadersWriter.java index 17446845dde..d1d6e72629e 100644 --- a/web/src/main/java/org/springframework/security/web/server/header/CrossOriginEmbedderPolicyServerHttpHeadersWriter.java +++ b/web/src/main/java/org/springframework/security/web/server/header/CrossOriginEmbedderPolicyServerHttpHeadersWriter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -61,7 +61,9 @@ public enum CrossOriginEmbedderPolicy { UNSAFE_NONE("unsafe-none"), - REQUIRE_CORP("require-corp"); + REQUIRE_CORP("require-corp"), + + CREDENTIALLESS("credentialless"); private final String policy;