Add support for Cross-Origin security headers (COOP, CORP, COEP)

[Copilot]

Implements support for three additional Cross-Origin HTTP security headers as requested in #81:

• Cross-Origin-Opener-Policy (COOP) - Controls whether a document can share a browsing context group with cross-origin documents
• Cross-Origin-Resource-Policy (CORP) - Controls which origins can load the resource
• Cross-Origin-Embedder-Policy (COEP) - Prevents loading cross-origin resources without explicit permission

New Configuration Directives

security_headers_coop

security_headers_coop same-origin;

• Values: unsafe-none, same-origin-allow-popups, same-origin, omit
• Default: omit
• Ensures top-level documents don't share browsing context with cross-origin documents
• Required for enabling powerful browser features like SharedArrayBuffer

security_headers_corp

security_headers_corp same-origin;

• Values: same-site, same-origin, cross-origin, omit
• Default: omit
• Controls which origins can load the resource via <img>, <script>, <link>, etc.

security_headers_coep

security_headers_coep require-corp;

• Values: unsafe-none, require-corp, omit
• Default: omit
• Prevents loading cross-origin resources without explicit CORP permission
• Works with COOP to enable cross-origin isolation

Example Usage

Enable cross-origin isolation for a secure application:

server {
    listen 443 ssl;
    server_name app.example.com;
    
    security_headers on;
    security_headers_coop same-origin;
    security_headers_corp same-origin;
    security_headers_coep require-corp;
    
    location / {
        # Your application
    }
}

This configuration enables modern browser features that require cross-origin isolation while maintaining security.

Implementation Details

• All three headers default to omit to avoid breaking existing sites
• Can be configured at http, server, or location level with proper inheritance
• Follows the same pattern as existing headers (security_headers_xss, security_headers_frame, etc.)
• Comprehensive test coverage with 12 new tests
• Complete documentation in README

References

• OWASP Secure Headers Project
• Scott Helme: COOP and COEP
• MDN: Cross-Origin-Opener-Policy
• MDN: Cross-Origin-Resource-Policy
• MDN: Cross-Origin-Embedder-Policy

Fixes #81

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• nginx.org
  • Triggering command: wget -O - REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Feature Request: Additional Cross-Origin headers (COOP CORP, COEP)</issue_title>
<issue_description>Implement new upcoming HTTP Cross-Origin headers.

Sources:

• https://owasp.org/www-project-secure-headers/
• https://scotthelme.co.uk/coop-and-coep/</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #17

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[Copilot]

Pull request overview

This PR adds support for three modern Cross-Origin security headers (COOP, CORP, and COEP) to the nginx security headers module, enabling cross-origin isolation capabilities required for advanced browser features like SharedArrayBuffer.

Key Changes:

• Added three new configuration directives (security_headers_coop, security_headers_corp, security_headers_coep) with proper enum definitions and validation
• Implemented header filtering logic for all three headers with appropriate default behavior (omit)
• Added comprehensive test coverage with 12 new test cases covering all possible values and combinations

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
src/ngx_http_security_headers_module.c	Core implementation: added constant definitions, struct fields, configuration enums, command handlers, filter logic, and merge functions for COOP, CORP, and COEP headers
t/headers.t	Added 12 comprehensive test cases (TEST 12-23) covering all possible values for each header, including omit behavior and combined usage
README.md	Added documentation for all three new directives with syntax, defaults, context, and MDN reference links

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The switch statement has inconsistent indentation with extra leading spaces. This follows the pattern from the Referrer-Policy block above, but differs from the X-Frame-Options block which properly aligns the switch statement. The switch statement should be aligned at the same indentation level as the surrounding code (8 spaces from line start) rather than 12 spaces.

[Copilot]

The switch statement has inconsistent indentation with extra leading spaces. This follows the pattern from the Referrer-Policy block above, but differs from the X-Frame-Options block which properly aligns the switch statement. The switch statement should be aligned at the same indentation level as the surrounding code (8 spaces from line start) rather than 12 spaces.

[Copilot]

The switch statement has inconsistent indentation with extra leading spaces. This follows the pattern from the Referrer-Policy block above, but differs from the X-Frame-Options block which properly aligns the switch statement. The switch statement should be aligned at the same indentation level as the surrounding code (8 spaces from line start) rather than 12 spaces.