Add header support for Cross-Origin-Opener-Policy

[agjohnson]

We seem to already support this header output at Nginx, we just need
this in our modeling. This is for a user requested header addition from support.

• Fixes Project: add support for Cross-Origin-Opener-Policy #12781

[agjohnson]

This does not currently return the expected headers via Nginx:

curl -I foo.example.com
HTTP/1.1 302 Found
Server: nginx/1.22.1
...
Cross-Origin-Opener-Policy: same-origin
cross_origin_opener_policy: test

This needs to be handled separately.

[humitos]

I don't understand how this works.

I tested your PR locally and I still see the header same-origin:

  agj/cross-origin-opener-policy ✔
$ curl -ILs http://test-builds.devthedocs.org/en/latest/ | grep -i origin-opener
Cross-Origin-Opener-Policy: same-origin

On the other hand, we don't want to always hide this header. We still want to have the same-origin default that Django adds. However, we want to be able to override it for a particular project to change its value or delete it. Otherwise, it will be a security issue.

[agjohnson]

Yeah, I already noted above the header doesn't seem to return correctly.

The logic here is the same logic as the other headers, I didn't do anything special.

readthedocs.org/dockerfiles/nginx/proxito.conf.template

Lines 122 to 124 in c91b715

	proxy_hide_header Content-Security-Policy;
	set $content_security_policy $upstream_http_content_security_policy;
	add_header Content-Security-Policy $content_security_policy always;

This does need to conditionally pass through the default, but this was a quick effort and didn't get this to even replace this header value yet.

[humitos]

Ah, I wasn't aware of the other proxy_hide_header.

Reading more here, we use it because we want to remove the headers from S3 (MinIO in development) due that it sets some headers we want to force coming from the upstream instead of the proxy pass. There are a bunch of headers where we don't use proxy_hide_header and that's why because S3 is not setting them, so there is nothing to hide first.

[agjohnson]

Yeah, I get that usage, there are a number of cases of proxy_hide_header in that config too though.

I expected proxy_hide_header here to also hide the Cross-Origin-Opener-Policy header set by Django, but it doesn't seem to.

Ultimately what we need is to replace the default header with the custom header but only when it exists. But neither replacing or hiding the header worked just yet.

[agjohnson]

Back to draft while I get back to this, I was hoping it would be an easy thing to include this release.