From 21408543d4da84160532cfd101d456864219a35d Mon Sep 17 00:00:00 2001
From: Jonathan Bobel <jonathan.bobel@gsa.gov>
Date: Wed, 12 Mar 2025 12:52:32 -0400
Subject: [PATCH 1/3] Update request_helper.py

Adjusting cross-origin checks to allow Youtube
---
 notifications_utils/request_helper.py | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/notifications_utils/request_helper.py b/notifications_utils/request_helper.py
index 5c3317744..992deb203 100644
--- a/notifications_utils/request_helper.py
+++ b/notifications_utils/request_helper.py
@@ -75,11 +75,23 @@ class ResponseHeaderMiddleware(object):
             if SPAN_ID_HEADER.lower() not in lower_existing_header_names:
                 headers.append((SPAN_ID_HEADER, str(req.span_id)))
 
-            # Some dynamic scan findings
-            headers.append(("Cross-Origin-Opener-Policy", "same-origin"))
-            headers.append(("Cross-Origin-Embedder-Policy", "require-corp"))
-            headers.append(("Cross-Origin-Resource-Policy", "same-origin"))
-            headers.append(("Cross-Origin-Opener-Policy", "same-origin"))
+            def rewrite_response_headers(status, headers, exc_info=None):
+                lower_existing_header_names = {name.lower() for name, value in headers}
+
+                # Set COOP once (needed for security)
+                if "cross-origin-opener-policy" not in lower_existing_header_names:
+                    headers.append(("Cross-Origin-Opener-Policy", "same-origin"))
+
+                # Ensure `Cross-Origin-Resource-Policy: cross-origin` is set
+                if "cross-origin-resource-policy" not in lower_existing_header_names:
+                    headers.append(("Cross-Origin-Resource-Policy", "cross-origin"))
+
+                # Apply COEP restrictions to everything except YouTube
+                if "youtube.com" not in request.url and "youtube-nocookie.com" not in request.url:
+                    if "cross-origin-embedder-policy" not in lower_existing_header_names:
+                        headers.append(("Cross-Origin-Embedder-Policy", "require-corp"))
+
+                return start_response(status, headers, exc_info)
 
             # svg content type should not contain charset
             found_svg = False

From 236fafd5975045897cb83ef9193f05bba0b198ff Mon Sep 17 00:00:00 2001
From: Jonathan Bobel <jonathan.bobel@gsa.gov>
Date: Thu, 13 Mar 2025 14:26:45 -0400
Subject: [PATCH 2/3] Update request_helper.py

---
 notifications_utils/request_helper.py | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/notifications_utils/request_helper.py b/notifications_utils/request_helper.py
index 992deb203..dd0fc0804 100644
--- a/notifications_utils/request_helper.py
+++ b/notifications_utils/request_helper.py
@@ -86,11 +86,6 @@ class ResponseHeaderMiddleware(object):
                 if "cross-origin-resource-policy" not in lower_existing_header_names:
                     headers.append(("Cross-Origin-Resource-Policy", "cross-origin"))
 
-                # Apply COEP restrictions to everything except YouTube
-                if "youtube.com" not in request.url and "youtube-nocookie.com" not in request.url:
-                    if "cross-origin-embedder-policy" not in lower_existing_header_names:
-                        headers.append(("Cross-Origin-Embedder-Policy", "require-corp"))
-
                 return start_response(status, headers, exc_info)
 
             # svg content type should not contain charset

From 5a1b656d7e0a5963e1caca75eb2ff8cf99f4094e Mon Sep 17 00:00:00 2001
From: Jonathan Bobel <jonathan.bobel@gsa.gov>
Date: Fri, 14 Mar 2025 12:13:52 -0400
Subject: [PATCH 3/3] Update notifications_utils/request_helper.py

Co-authored-by: ccostino <ccostino@users.noreply.github.com>
---
 notifications_utils/request_helper.py | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/notifications_utils/request_helper.py b/notifications_utils/request_helper.py
index dd0fc0804..dfc4c0c70 100644
--- a/notifications_utils/request_helper.py
+++ b/notifications_utils/request_helper.py
@@ -75,18 +75,13 @@ class ResponseHeaderMiddleware(object):
             if SPAN_ID_HEADER.lower() not in lower_existing_header_names:
                 headers.append((SPAN_ID_HEADER, str(req.span_id)))
 
-            def rewrite_response_headers(status, headers, exc_info=None):
-                lower_existing_header_names = {name.lower() for name, value in headers}
+            # Set COOP once (needed for security)
+            if "cross-origin-opener-policy" not in lower_existing_header_names:
+                headers.append(("Cross-Origin-Opener-Policy", "same-origin"))
 
-                # Set COOP once (needed for security)
-                if "cross-origin-opener-policy" not in lower_existing_header_names:
-                    headers.append(("Cross-Origin-Opener-Policy", "same-origin"))
-
-                # Ensure `Cross-Origin-Resource-Policy: cross-origin` is set
-                if "cross-origin-resource-policy" not in lower_existing_header_names:
-                    headers.append(("Cross-Origin-Resource-Policy", "cross-origin"))
-
-                return start_response(status, headers, exc_info)
+            # Ensure `Cross-Origin-Resource-Policy: cross-origin` is set
+            if "cross-origin-resource-policy" not in lower_existing_header_names:
+                headers.append(("Cross-Origin-Resource-Policy", "cross-origin"))
 
             # svg content type should not contain charset
             found_svg = False