Merge pull request #2397 from GSA/2391-youtube-video-not-playing

2391 - Updating Cross Origin code to allow Youtube
2026-02-06 11:23:48 -05:00 · 2025-03-14 12:53:59 -07:00
parent 592ea83ea2 5a1b656d7e
commit 9facde2c60
1 changed files with 7 additions and 5 deletions
--- a/notifications_utils/request_helper.py
+++ b/notifications_utils/request_helper.py
@@ -75,11 +75,13 @@ class ResponseHeaderMiddleware(object):
            if SPAN_ID_HEADER.lower() not in lower_existing_header_names:
                headers.append((SPAN_ID_HEADER, str(req.span_id)))

-            # Some dynamic scan findings
-            headers.append(("Cross-Origin-Opener-Policy", "same-origin"))
-            headers.append(("Cross-Origin-Embedder-Policy", "require-corp"))
-            headers.append(("Cross-Origin-Resource-Policy", "same-origin"))
-            headers.append(("Cross-Origin-Opener-Policy", "same-origin"))
+            # Set COOP once (needed for security)
+            if "cross-origin-opener-policy" not in lower_existing_header_names:
+                headers.append(("Cross-Origin-Opener-Policy", "same-origin"))
+
+            # Ensure `Cross-Origin-Resource-Policy: cross-origin` is set
+            if "cross-origin-resource-policy" not in lower_existing_header_names:
+                headers.append(("Cross-Origin-Resource-Policy", "cross-origin"))

            # svg content type should not contain charset
            found_svg = False