#23465: Gateway: strengthen Control UI security headers
app: web-ui
gateway
size: XS
trusted-contributor
## Summary
- tighten Control UI CSP with `form-action 'none'` and `frame-src 'none'`
- add additional hardening headers on Control UI responses:
- `Cross-Origin-Opener-Policy: same-origin`
- `Cross-Origin-Resource-Policy: same-origin`
- strict `Permissions-Policy` defaults
- extend Control UI header tests to assert the new policy headers/directives
## Why
Control UI already blocks framing and inline scripts; this closes additional browser-side isolation gaps and reduces clickjacking/XSS token-exfil class risk when proxies are misconfigured.
## Testing
- `pnpm test src/gateway/control-ui-csp.test.ts src/gateway/control-ui.http.test.ts`
- `pnpm check`
<!-- greptile_comment -->
<h3>Greptile Summary</h3>
Strengthened Control UI security by adding CSP directives (`form-action 'none'`, `frame-src 'none'`) and browser isolation headers (`Cross-Origin-Opener-Policy`, `Cross-Origin-Resource-Policy`, `Permissions-Policy`) to prevent clickjacking, form-based attacks, and cross-origin token exfiltration when proxies are misconfigured.
- Added `form-action 'none'` and `frame-src 'none'` CSP directives to block form submissions and embedded frames
- Added `Cross-Origin-Opener-Policy: same-origin` to isolate the browsing context from cross-origin openers
- Added `Cross-Origin-Resource-Policy: same-origin` to prevent cross-origin resource access
- Added strict `Permissions-Policy` denying access to sensitive browser APIs (camera, microphone, geolocation, etc.)
- Extended test coverage to assert all new headers and CSP directives are applied correctly
<h3>Confidence Score: 5/5</h3>
- This PR is safe to merge with minimal risk
- The changes add defense-in-depth security headers without modifying existing functionality. All changes are additive (new CSP directives and HTTP headers), fully tested, and follow established security best practices. The implementation correctly applies standard browser security headers (COOP, CORP, Permissions-Policy) alongside the existing security posture (X-Frame-Options, CSP). Tests verify all new directives are present and correctly formatted.
- No files require special attention
<sub>Last reviewed commit: b061986</sub>
<!-- greptile_other_comments_section -->
<!-- /greptile_comment -->
Most Similar PRs
#21326: Security/UI: harden Control UI gatewayUrl URL overrides
by bmendonca3 · 2026-02-19
84.5%
#23364: Gateway: add risk-ack interlock for dangerous Control UI flags
by bmendonca3 · 2026-02-22
81.1%
#6906: Add baseline HTTP security headers to gateway responses
by QuantumEdu · 2026-02-02
80.2%
#23355: Gateway: fail closed on untrusted proxy headers
by bmendonca3 · 2026-02-22
79.9%
#21100: Security/Gateway: require explicit break-glass env for Control UI b...
by bmendonca3 · 2026-02-19
79.5%
#21964: Security: harden gateway and plugin trust boundaries
by Elormyevu · 2026-02-20
78.9%
#23352: Gateway: enforce origin checks for browser-context WS clients
by bmendonca3 · 2026-02-22
78.8%
#23361: Gateway: reject scope assertions without identity binding
by bmendonca3 · 2026-02-22
78.7%
#20089: fix(gateway): preserve control-ui scopes when dangerouslyDisableDev...
by vashkartik · 2026-02-18
78.0%
#14197: fix(security): harden browser API auth, token comparisons, and hook...
by leecarollyn-gif · 2026-02-11
76.9%