What happens when you set the header to: same-origin-allow-popups?

@zero-24 It works fine with same-origin-allow-popups

Great than i would recommend to go with that on such sites. ?

@zero-24 Can we change the default value to ease our lives?

I would not change the default value given that on the most sites same-origin is the best fit only on sites that have such logins we need such workarround. But maybe @bembelimen has a different opinion?

Whatever is decided it must be documented

@zero-24 Take into account that the problem is completely silent.

There is no browser or console error.

The social login doesn't work and there's is no way to diagnose the misconfiguration than checking everything to single out that the issue comes from the security headers and then comparing them against a working Joomla 3 site.

@anibalsanchez how is the integration be done? Wrote it your self or 3rd party plugin? I'm against changing the default but documentation is needed at https://docs.joomla.org/Potential_backward_compatibility_issues_in_Joomla_4

@zero-24 do we have a documentation what the http header plugin does so we can link to it?

@zero-24 do we have a documentation what the http header plugin does so we can link to it?

https://docs.joomla.org/J4.x:Http_Header_Management ;)

@zero-24 do we have a documentation what the http header plugin does so we can link to it?

https://docs.joomla.org/J4.x:Http_Header_Management ;)

perfect so we can link this in the upgrade process and maybe b/c issues list?

@HLeithner The integration is done with a plugin and the official JavaScript SDK for Facebook Login. It is a well-documented method that has been working for years.

If you want to block it by default, there is not much else I can add. I'm sure that decision also affects other JavaScript SDKs.

It sounds like I want to pillory you. Which is actually not the case, it's a security thing which is on per default and can be disabled if you need the functionality.

More information can be found at https://www.chromestatus.com/feature/5432089535053824 and https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy

@HLeithner Joomla 4 is sending the header to enforce a particular stance about how secure sites must be on Joomla. This "security thing" is not activated by default on the browsers. If you disable the setting, it works as always.

It looks to me that you are trying to discourage the JavaScript SDKs that we use today and adding one more roadblock to implement them to the current users.

It looks to me that you are trying to discourage the JavaScript SDKs that we use today and adding one more roadblock to implement them to the current users.

The idea is more to go best practise regarding security and not open up a holes just because a few people need a less restricted environment. If you're the developer of your facebook plugin, why don't you point it out in the options and offer a link where the user can set it up. Or you can set your own header.

But I'm also against changing the default parameter here and that has nothing to do with explicit blocking out JavaScript SDKs...

Sure, we can always ask people to dig into non-trivial configurations or develop system plugins just to override security headers for common JavaScript SDKs.

Based on the comments by @bembelimen and @HLeithner above this should be closed