Add Support Credentialless COEP Header

franticticktick · franticticktick · commit abca162b4f66 · 2025-05-01T18:44:30.000+03:00
Closes spring-projectsgh-16991 Signed-off-by: Max Batischev <mblancer@mail.ru>
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-6.5.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-6.5.rnc
@@ -1308,7 +1308,7 @@ cross-origin-embedder-policy =
 	element cross-origin-embedder-policy {cross-origin-embedder-policy-options.attlist,empty}
 cross-origin-embedder-policy-options.attlist &=
 	## The policies for the Cross-Origin-Embedder-Policy header.
-	attribute policy {"unsafe-none","require-corp"}?
+	attribute policy {"unsafe-none","require-corp", "credentialless"}?
 
 cross-origin-resource-policy =
 	## Adds support for Cross-Origin-Resource-Policy header
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-6.5.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-6.5.xsd
@@ -3668,6 +3668,7 @@
             <xs:restriction base="xs:token">
                <xs:enumeration value="unsafe-none"/>
                <xs:enumeration value="require-corp"/>
+               <xs:enumeration value="credentialless"/>
             </xs:restriction>
          </xs:simpleType>
       </xs:attribute>
diff --git a/web/src/main/java/org/springframework/security/web/header/writers/CrossOriginEmbedderPolicyHeaderWriter.java b/web/src/main/java/org/springframework/security/web/header/writers/CrossOriginEmbedderPolicyHeaderWriter.java
@@ -58,7 +58,9 @@ public enum CrossOriginEmbedderPolicy {
 
 		UNSAFE_NONE("unsafe-none"),
 
-		REQUIRE_CORP("require-corp");
+		REQUIRE_CORP("require-corp"),
+
+		CREDENTIALLESS("credentialless");
 
 		private final String policy;
 
diff --git a/web/src/main/java/org/springframework/security/web/server/header/CrossOriginEmbedderPolicyServerHttpHeadersWriter.java b/web/src/main/java/org/springframework/security/web/server/header/CrossOriginEmbedderPolicyServerHttpHeadersWriter.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -61,7 +61,9 @@ public enum CrossOriginEmbedderPolicy {
 
 		UNSAFE_NONE("unsafe-none"),
 
-		REQUIRE_CORP("require-corp");
+		REQUIRE_CORP("require-corp"),
+
+		CREDENTIALLESS("credentialless");
 
 		private final String policy;
 
