Add support or setting Cross-Origin-Opener-Policy header

And default it to same-origin, the most locked down value. I don't think
we need to allow it anywhere, but having this decorator makes it
possible to override if needed.

Author: mhagander

pgweb/util/decorators.py

@@ -57,6 +57,17 @@ def _allow_frames(request, *_args, **_kwargs):
     return _allow_frames
 
 
+def origin_opener_policy(policy):
+    def _origin_opener_policy(fn):
+        def __origin_opener_policy(request, *_args, **_kwargs):
+            resp = fn(request, *_args, **_kwargs)
+            resp.x_origin_opener_policy = policy
+
+            return resp
+        return __origin_opener_policy
+    return _origin_opener_policy
+
+
 def content_sources(what, source):
     def _script_sources(fn):
         def __script_sources(request, *_args, **_kwargs):

pgweb/util/middleware.py

@@ -75,6 +75,8 @@ def __call__(self, request):
             else:
                 response['Content-Security-Policy'] = " ; ".join(security_policies)
 
+        response['Cross-Origin-Opener-Policy'] = getattr(response, 'x_origin_opener_policy', 'same-origin')
+
         response['X-XSS-Protection'] = "1; mode=block"
         return response