Fixed Cross-Origin Opener Policy (COOP) vulnerability in the OAuth 2.0 authentication flow (CVE-2025-9636). #9114

khushboovashi · khushboovashi · commit cdeb18fcbb13 · 2025-09-01T16:34:18.000+05:30
diff --git a/docs/en_US/release_notes_9_8.rst b/docs/en_US/release_notes_9_8.rst
@@ -35,4 +35,5 @@ Bug fixes
 
   | `Issue #9090 <https://github.com/pgadmin-org/pgadmin4/issues/9090>`_ -  Pin Paramiko to version 3.5.1 to fix the DSSKey error introduced in the latest release.
   | `Issue #9095 <https://github.com/pgadmin-org/pgadmin4/issues/9095>`_ -  Fixed an issue where pgAdmin config migration was failing while upgrading to v9.7.
+  | `Issue #9114 <https://github.com/pgadmin-org/pgadmin4/issues/9114>`_ -  Fixed Cross-Origin Opener Policy (COOP) vulnerability in the OAuth 2.0 authentication flow (CVE-2025-9636).
   | `Issue #9116 <https://github.com/pgadmin-org/pgadmin4/issues/9116>`_ -  Fixed an issue where editor shortcuts fail when using Option key combinations on macOS, due to macOS treating Option+Key as a different key input.
diff --git a/web/config.py b/web/config.py
@@ -129,6 +129,17 @@
 # See https://tools.ietf.org/html/rfc7034 for more info.
 X_FRAME_OPTIONS = "SAMEORIGIN"
 
+
+# The Cross-Origin-Opener-Policy allows a website to control whether
+# a new top-level document, opened using Window.open() or by navigating
+# to a new page, is opened in the same browsing context group (BCG)
+# or in a new browsing context group.
+# Set to 'unsafe-none', 'same-origin-allow-popups', 'same-origin',
+# or 'noopener-allow-popups'
+
+CROSS_ORIGIN_OPENER_POLICY = "same-origin"
+
+
 # The Content-Security-Policy header allows you to restrict how resources
 # such as JavaScript, CSS, or pretty much anything that the browser loads.
 # see https://content-security-policy.com/#source_list for more info
diff --git a/web/pgadmin/utils/security_headers.py b/web/pgadmin/utils/security_headers.py
@@ -21,6 +21,7 @@ def set_response_headers(response):
             'X_CONTENT_TYPE_OPTIONS': 'X-Content-Type-Options',
             'X_XSS_PROTECTION': 'X-XSS-Protection',
             'WEB_SERVER': 'Server',
+            'CROSS_ORIGIN_OPENER_POLICY': 'Cross-Origin-Opener-Policy'
         }
 
         # X-Frame-Options for security

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ def set_response_headers(response):`
`21`	`21`	`'X_CONTENT_TYPE_OPTIONS': 'X-Content-Type-Options',`
`22`	`22`	`'X_XSS_PROTECTION': 'X-XSS-Protection',`
`23`	`23`	`'WEB_SERVER': 'Server',`
	`24`	`+ 'CROSS_ORIGIN_OPENER_POLICY': 'Cross-Origin-Opener-Policy'`
`24`	`25`	`}`
`25`	`26`
`26`	`27`	`# X-Frame-Options for security`