Move the COEP, COOP and CORP headers to Cors plugin and change default values

src/common/core/cors/cors.lua

@@ -8,7 +8,10 @@ function cors:initialize(ctx)
 	-- Call parent initialize
 	plugin.initialize(self, "cors", ctx)
 	self.all_headers = {
-		["CORS_EXPOSE_HEADERS"] = "Access-Control-Expose-Headers"
+		["CORS_EXPOSE_HEADERS"] = "Access-Control-Expose-Headers",
+		["CROSS_ORIGIN_OPENER_POLICY"] = "Cross-Origin-Opener-Policy",
+		["CROSS_ORIGIN_EMBEDDER_POLICY"] = "Cross-Origin-Embedder-Policy",
+		["CROSS_ORIGIN_RESOURCE_POLICY"] = "Cross-Origin-Resource-Policy",
 	}
 	self.preflight_headers = {
 		["CORS_MAX_AGE"] = "Access-Control-Max-Age",
@@ -79,7 +82,8 @@ function cors:access()
 	end
 	-- Deny as soon as possible if needed
 	if self.ctx.bw.http_origin and self.variables["CORS_DENY_REQUEST"] == "yes" and self.variables["CORS_ALLOW_ORIGIN"] ~= "*" and not utils.regex_match(self.ctx.bw.http_origin, self.variables["CORS_ALLOW_ORIGIN"]) then
-		return self:ret(true, "origin " .. self.ctx.bw.http_origin .. " is not allowed, denying access", utils.get_deny_status(self.ctx))
+		return self:ret(true, "origin " .. self.ctx.bw.http_origin .. " is not allowed, denying access",
+			utils.get_deny_status(self.ctx))
 	end
 	-- Send CORS policy with a 204 (no content) status
 	if self.ctx.bw.request_method == "OPTIONS" and self.ctx.bw.http_origin then

src/common/core/cors/plugin.json

@@ -32,6 +32,51 @@
       "regex": "^(\\*|(?![, ]+)(,? ?([\\w-]+)(?!.*\\3(?!.)))*)?$",
       "type": "text"
     },
+    "CROSS_ORIGIN_OPENER_POLICY": {
+      "context": "multisite",
+      "default": "",
+      "help": "Value for the Cross-Origin-Opener-Policy header.",
+      "id": "cross-origin-opener-policy",
+      "label": "Cross-Origin-Opener-Policy",
+      "regex": "^(unsafe-none|same-origin-allow-popups|same-origin)?$",
+      "type": "select",
+      "select": [
+        "",
+        "unsafe-none",
+        "same-origin-allow-popups",
+        "same-origin"
+      ]
+    },
+    "CROSS_ORIGIN_EMBEDDER_POLICY": {
+      "context": "multisite",
+      "default": "",
+      "help": "Value for the Cross-Origin-Embedder-Policy header.",
+      "id": "cross-origin-embedder-policy",
+      "label": "Cross-Origin-Embedder-Policy",
+      "regex": "^(unsafe-none|require-corp|credentialless)?$",
+      "type": "select",
+      "select": [
+        "",
+        "unsafe-none",
+        "require-corp",
+        "credentialless"
+      ]
+    },
+    "CROSS_ORIGIN_RESOURCE_POLICY": {
+      "context": "multisite",
+      "default": "",
+      "help": "Value for the Cross-Origin-Resource-Policy header.",
+      "id": "cross-origin-resource-policy",
+      "label": "Cross-Origin-Resource-Policy",
+      "regex": "^(same-site|same-origin|cross-origin)?$",
+      "type": "select",
+      "select": [
+        "",
+        "same-site",
+        "same-origin",
+        "cross-origin"
+      ]
+    },
     "CORS_MAX_AGE": {
       "context": "multisite",
       "default": "86400",

src/common/core/headers/headers.lua

@@ -13,9 +13,6 @@ function headers:initialize()
     ["REFERRER_POLICY"] = "Referrer-Policy",
     ["PERMISSIONS_POLICY"] = "Permissions-Policy",
     ["FEATURE_POLICY"] = "Feature-Policy",
-    ["CROSS_ORIGIN_OPENER_POLICY"] = "Cross-Origin-Opener-Policy",
-    ["CROSS_ORIGIN_EMBEDDER_POLICY"] = "Cross-Origin-Embedder-Policy",
-    ["CROSS_ORIGIN_RESOURCE_POLICY"] = "Cross-Origin-Resource-Policy",
     ["X_FRAME_OPTIONS"] = "X-Frame-Options",
     ["X_CONTENT_TYPE_OPTIONS"] = "X-Content-Type-Options",
     ["X_XSS_PROTECTION"] = "X-XSS-Protection"
@@ -24,12 +21,17 @@ end
 
 function headers:header()
   -- Override upstream headers if needed
-  local ssl = utils.get_variable("AUTO_LETS_ENCRYPT") == "yes" or utils.get_variable("USE_CUSTOM_SSL") == "yes" or
-      utils.get_variable("GENERATE_SELF_SIGNED_SSL") == "yes"
+  local ssl = utils.get_variable("AUTO_LETS_ENCRYPT", true) == "yes" or
+      utils.get_variable("USE_CUSTOM_SSL", true) == "yes" or
+      utils.get_variable("GENERATE_SELF_SIGNED_SSL", true) == "yes"
   for variable, header in pairs(self.all_headers) do
     if ngx.header[header] == nil or self.variables[variable] and self.variables["KEEP_UPSTREAM_HEADERS"] ~= "*" and utils.regex_match(self.variables["KEEP_UPSTREAM_HEADERS"], "(^| )" .. header .. "($| )") == nil then
-      if header ~= "Strict-Transport-Security" or ssl then
-        ngx.header[header] = self.variables[variable]
+      if (header ~= "Strict-Transport-Security" or ssl) then
+        if header == "Content-Security-Policy" and self.variables["CONTENT_SECURITY_POLICY_REPORT_ONLY"] == "yes" then
+          ngx.header["Content-Security-Policy-Report-Only"] = self.variables[variable]
+        else
+          ngx.header[header] = self.variables[variable]
+        end
       end
     end
   end

src/common/core/headers/plugin.json

@@ -70,6 +70,15 @@
       "regex": "^.*$",
       "type": "text"
     },
+    "CONTENT_SECURITY_POLICY_REPORT_ONLY": {
+      "context": "multisite",
+      "default": "no",
+      "help": "Send reports for violations of the Content-Security-Policy header instead of blocking them.",
+      "id": "content-security-policy-report-only",
+      "label": "Content-Security-Policy-Report-Only",
+      "regex": "^(yes|no)$",
+      "type": "check"
+    },
     "REFERRER_POLICY": {
       "context": "multisite",
       "default": "strict-origin-when-cross-origin",
@@ -108,51 +117,6 @@
       "regex": "^(?![; ])( ?([\\w-]+)(?!.*[^-]\\2 )( ('(none|self|strict-dynamic|report-sample|unsafe-inline|unsafe-eval|unsafe-hashes|unsafe-allow-redirects)'|https?://[\\w@:%.+~#=-]+[\\w()!@:%+.~#?&/=$-]*))+;)*$",
       "type": "text"
     },
-    "CROSS_ORIGIN_OPENER_POLICY": {
-      "context": "multisite",
-      "default": "same-origin",
-      "help": "Value for the Cross-Origin-Opener-Policy header.",
-      "id": "cross-origin-opener-policy",
-      "label": "Cross-Origin-Opener-Policy",
-      "regex": "^(unsafe-none|same-origin-allow-popups|same-origin)?$",
-      "type": "select",
-      "select": [
-        "",
-        "unsafe-none",
-        "same-origin-allow-popups",
-        "same-origin"
-      ]
-    },
-    "CROSS_ORIGIN_EMBEDDER_POLICY": {
-      "context": "multisite",
-      "default": "require-corp",
-      "help": "Value for the Cross-Origin-Embedder-Policy header.",
-      "id": "cross-origin-embedder-policy",
-      "label": "Cross-Origin-Embedder-Policy",
-      "regex": "^(unsafe-none|require-corp|credentialless)?$",
-      "type": "select",
-      "select": [
-        "",
-        "unsafe-none",
-        "require-corp",
-        "credentialless"
-      ]
-    },
-    "CROSS_ORIGIN_RESOURCE_POLICY": {
-      "context": "multisite",
-      "default": "same-site",
-      "help": "Value for the Cross-Origin-Resource-Policy header.",
-      "id": "cross-origin-resource-policy",
-      "label": "Cross-Origin-Resource-Policy",
-      "regex": "^(same-site|same-origin|cross-origin)?$",
-      "type": "select",
-      "select": [
-        "",
-        "same-site",
-        "same-origin",
-        "cross-origin"
-      ]
-    },
     "X_FRAME_OPTIONS": {
       "context": "multisite",
       "default": "SAMEORIGIN",