Fixed #31840 -- Added support for Cross-Origin Opener Policy header.

Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com>
2025-10-31 09:41:08 +00:00 · 2020-08-26 12:09:19 -04:00
parent f6018c1e63
commit db5b75f10f
12 changed files with 175 additions and 5 deletions
--- a/docs/releases/4.0.txt
+++ b/docs/releases/4.0.txt
@@ -229,7 +229,11 @@ Models
 Requests and Responses
 ~~~~~~~~~~~~~~~~~~~~~~

-* ...
+* The :class:`~django.middleware.security.SecurityMiddleware` now adds the
+  :ref:`Cross-Origin Opener Policy <cross-origin-opener-policy>` header with a
+  value of ``'same-origin'`` to prevent cross-origin popups from sharing the
+  same browsing context. You can prevent this header from being added by
+  setting the :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY` setting to ``None``.

 Security
 ~~~~~~~~