Overview

File 0001-Fixed-Cross-Origin-Opener-Policy-COOP-vulnerability-in-the.patch of Package pgadmin4.41010

From cdeb18fcbb139a200b5a4779c82f9cd1aaaf3c89 Mon Sep 17 00:00:00 2001
From: Khushboo Vashi <khushboo.vashi@enterprisedb.com>
Date: Mon, 1 Sep 2025 16:34:18 +0530
Subject: [PATCH] Fixed Cross-Origin Opener Policy (COOP) vulnerability in the
 OAuth 2.0 authentication flow (CVE-2025-9636). #9114

---
 docs/en_US/release_notes_9_8.rst      |  1 +
 web/config.py                         | 11 +++++++++++
 web/pgadmin/utils/security_headers.py |  1 +
 3 files changed, 13 insertions(+)

#diff --git a/docs/en_US/release_notes_9_8.rst b/docs/en_US/release_notes_9_8.rst
#index 986b4d56622..d2572bed25f 100644
#--- a/docs/en_US/release_notes_9_8.rst
#+++ b/docs/en_US/release_notes_9_8.rst
#@@ -35,4 +35,5 @@ Bug fixes
# 
#   | `Issue #9090 <https://github.com/pgadmin-org/pgadmin4/issues/9090>`_ -  Pin Paramiko to version 3.5.1 to fix the DSSKey error introduced in the latest release.
#   | `Issue #9095 <https://github.com/pgadmin-org/pgadmin4/issues/9095>`_ -  Fixed an issue where pgAdmin config migration was failing while upgrading to v9.7.
#+  | `Issue #9114 <https://github.com/pgadmin-org/pgadmin4/issues/9114>`_ -  Fixed Cross-Origin Opener Policy (COOP) vulnerability in the OAuth 2.0 authentication flow (CVE-2025-9636).
#   | `Issue #9116 <https://github.com/pgadmin-org/pgadmin4/issues/9116>`_ -  Fixed an issue where editor shortcuts fail when using Option key combinations on macOS, due to macOS treating Option+Key as a different key input.
#\ No newline at end of file
diff --git a/web/config.py b/web/config.py
index 9cd24cbfac1..155a09552ff 100644
--- a/web/config.py
+++ b/web/config.py
@@ -129,6 +129,17 @@
 # See https://tools.ietf.org/html/rfc7034 for more info.
 X_FRAME_OPTIONS = "SAMEORIGIN"
 
+
+# The Cross-Origin-Opener-Policy allows a website to control whether
+# a new top-level document, opened using Window.open() or by navigating
+# to a new page, is opened in the same browsing context group (BCG)
+# or in a new browsing context group.
+# Set to 'unsafe-none', 'same-origin-allow-popups', 'same-origin',
+# or 'noopener-allow-popups'
+
+CROSS_ORIGIN_OPENER_POLICY = "same-origin"
+
+
 # The Content-Security-Policy header allows you to restrict how resources
 # such as JavaScript, CSS, or pretty much anything that the browser loads.
 # see https://content-security-policy.com/#source_list for more info
diff --git a/web/pgadmin/utils/security_headers.py b/web/pgadmin/utils/security_headers.py
index 49d8f9d2d1b..4a4a8f64c79 100644
--- a/web/pgadmin/utils/security_headers.py
+++ b/web/pgadmin/utils/security_headers.py
@@ -21,6 +21,7 @@ def set_response_headers(response):
             'X_CONTENT_TYPE_OPTIONS': 'X-Content-Type-Options',
             'X_XSS_PROTECTION': 'X-XSS-Protection',
             'WEB_SERVER': 'Server',
+            'CROSS_ORIGIN_OPENER_POLICY': 'Cross-Origin-Opener-Policy'
         }
 
         # X-Frame-Options for security
openSUSE Build Service is sponsored by
Places