@blamejs/core 0.14.19 → 0.14.20

package/lib/mail-auth.js

@@ -50,6 +50,7 @@ var validateOpts = require("./validate-opts");
 var bCrypto = require("./crypto");
 var C = require("./constants");
 var dkim = require("./mail-dkim");
+var mimeParse = require("./mime-parse");
 var safeXml = require("./parsers/safe-xml");
 var ipUtils = require("./ip-utils");
 var publicSuffix = require("./public-suffix");
@@ -2615,6 +2616,337 @@ async function iprevVerify(ip) {
   };
 }
 
+// ---- DMARC forensic (RUF) failure-report parser (RFC 6591 + RFC 7489 §7.3) ----
+//
+// A domain publishing a DMARC `ruf=` policy receives per-message
+// failure reports when an authentication check fails. RFC 7489 §7.3
+// specifies the Authentication Failure Reporting Format (AFRF) of
+// RFC 6591 for these: a multipart/report (report-type=feedback-report)
+// carrying a `message/feedback-report` part whose header block adds the
+// DMARC-specific fields (Auth-Failure, Delivery-Result, Identity-
+// Alignment, DKIM-*/SPF-* result fields) on top of the RFC 5965 base
+// fields, plus a third part (message/rfc822 or text/rfc822-headers)
+// with the reported message (in full or headers-only).
+//
+// Composes the shared lib/mime-parse.js substrate (the same MIME walker
+// the RFC 5965 ARF ingest in lib/mail-arf.js uses) for the
+// multipart/report bisection + message/feedback-report extraction, then
+// shapes the full RFC 6591 §3.1 forensic field set (which the abuse-
+// report profile does not model) plus the reported message's headers.
+//
+//   var rv = b.mail.dmarc.parseForensicReport(rawMessageBytes);
+//   if (!rv.ok) { /* rv.error.code / rv.error.message */ }
+//   else        { /* rv.report.feedbackType / .authFailure / … */ }
+//
+// Validation tier: DEFENSIVE READER. The input is hostile-by-default
+// (a per-message failure report arrives at an operator endpoint from an
+// arbitrary reporting peer). The parser RETURNS a typed error object on
+// any malformed / over-cap / wrong-shape input — it does NOT throw in
+// the hot path, so a crafted report can't crash the request that
+// ingested it. Bytes + part-count + reported-header counts are bounded
+// (CWE-400 resource-exhaustion class) like the sibling aggregate-report
+// parser.
+//
+//   { ok: true,  report: { … } }
+//   { ok: false, error: { code: "<slug>", message: "<reason>" } }
+
+// RFC 6591 §3.2 — the report is small in practice; cap at 8 MiB to match
+// the sibling DMARC aggregate-report ceiling so operators have one
+// mental model for "what fits".
+var DMARC_RUF_MAX_REPORT_BYTES = C.BYTES.mib(8);
+
+// RFC 2046 §5.1 — a multipart/report failure report has a handful of
+// parts (text/plain + message/feedback-report + the reported message);
+// bound the part count so a hostile report with thousands of empty
+// boundary delimiters can't force unbounded walk work.
+var DMARC_RUF_MAX_PARTS = 64;                                                    // resource-exhaustion bound (CWE-400)
+
+// RFC 6591 §3.1 — required forensic fields. Feedback-Type and Auth-
+// Failure are the two that make an auth-failure report a DMARC forensic
+// report (RFC 7489 §7.3). User-Agent / Version are advisory in practice.
+var DMARC_RUF_REQUIRED_FIELDS = ["feedback-type", "auth-failure"];
+
+// RFC 6591 §3.1 — Auth-Failure registry values. Unknown values pass
+// through (the IANA "Authentication Failure" registry grows); this set
+// documents the launch vocabulary so operators can route on it.
+var DMARC_RUF_AUTH_FAILURE_TYPES = Object.freeze({
+  adsp:       1,                                                                 // RFC 6591 §3.1 (historic ADSP)
+  "bodyhash": 1,                                                                 // DKIM body-hash mismatch
+  dkim:       1,                                                                 // DKIM signature failure
+  dmarc:      1,                                                                 // RFC 7489 §7.3 — DMARC evaluation failure
+  revoked:    1,                                                                 // signing key revoked
+  signature:  1,                                                                 // DKIM signature syntactically invalid
+  spf:        1,                                                                 // SPF check failure
+});
+void DMARC_RUF_AUTH_FAILURE_TYPES;
+
+// RFC 6591 §3.2 — the reported message's header section can be large but
+// is bounded; cap the number of reported headers we normalize so a
+// crafted report can't force unbounded work. The full reported message
+// text is still surfaced verbatim under `reportedMessage` (bounded by
+// the overall byte cap), but the parsed `reportedHeaders` list is
+// header-count-capped.
+var DMARC_RUF_MAX_REPORTED_HEADERS = 256;                                       // resource-exhaustion bound (CWE-400)
+
+function _rufError(code, message) {
+  return { ok: false, error: { code: code, message: message } };
+}
+
+// Parse the reported message's headers (RFC 6591 §3.2 — the third part
+// of the report carries the message that failed authentication, in full
+// or headers-only). Returns an own-keys-only map (null-prototype) of
+// header-name → value (last-wins for duplicate single-valued lookups;
+// the full ordered list is also returned) so a header named
+// `__proto__` / `constructor` in a hostile report can't pollute the
+// prototype chain (prototype-pollution class).
+function _parseReportedHeaders(reportedMessage) {
+  var ordered = [];
+  var map = Object.create(null);
+  if (typeof reportedMessage !== "string" || reportedMessage.length === 0) {
+    return { headers: ordered, map: map, truncated: false };
+  }
+  var split;
+  try { split = mimeParse.splitHeadersAndBody(reportedMessage); }
+  catch (_e) { return { headers: ordered, map: map, truncated: false }; }
+  var hdrs = Array.isArray(split.headers) ? split.headers : [];
+  var truncated = false;
+  for (var i = 0; i < hdrs.length; i += 1) {
+    if (ordered.length >= DMARC_RUF_MAX_REPORTED_HEADERS) { truncated = true; break; }
+    var h = hdrs[i];
+    if (!h || typeof h.name !== "string") continue;
+    var name = h.name;
+    var value = typeof h.value === "string" ? h.value : "";
+    ordered.push({ name: name, value: value });
+    // Own-key assignment on a null-prototype object: a reported header
+    // named __proto__ / constructor / prototype is stored as data, not
+    // walked up the chain.
+    map[name.toLowerCase()] = value;
+  }
+  return { headers: ordered, map: map, truncated: truncated };
+}
+
+// Reassemble a MIME part's headers + body so a reported message that
+// ships as text/rfc822-headers (no separate body) still round-trips its
+// header bytes (RFC 6591 §3.2 permits headers-only).
+function _reassembleRufPart(part) {
+  var hdrs = "";
+  var ph = Array.isArray(part.headers) ? part.headers : [];
+  for (var i = 0; i < ph.length; i += 1) {
+    hdrs += ph[i].name + ": " + ph[i].value + "\r\n";
+  }
+  return hdrs + "\r\n" + (part.body || "");
+}
+
+function dmarcParseForensicReport(input, opts) {
+  opts = opts || {};
+
+  // ---- Coerce + byte-cap (defensive: typed error, never throw) ----
+  var asString;
+  if (typeof input === "string") asString = input;
+  else if (Buffer.isBuffer(input)) asString = input.toString("utf8");
+  else {
+    return _rufError("mail-auth/dmarc-ruf-bad-input",
+      "dmarc.parseForensicReport: input must be a string or Buffer");
+  }
+  var maxBytes = (typeof opts.maxBytes === "number" && isFinite(opts.maxBytes) && opts.maxBytes > 0)
+    ? opts.maxBytes
+    : DMARC_RUF_MAX_REPORT_BYTES;
+  if (asString.length > maxBytes) {
+    return _rufError("mail-auth/dmarc-ruf-too-large",
+      "dmarc.parseForensicReport: report exceeds " + maxBytes + " bytes (got " + asString.length + ")");
+  }
+
+  // ---- Bisect top-level headers / body; require multipart/report ----
+  var top;
+  try { top = mimeParse.splitHeadersAndBody(asString); }
+  catch (e) {
+    return _rufError("mail-auth/dmarc-ruf-bad-report",
+      "dmarc.parseForensicReport: header/body split failed: " + ((e && e.message) || String(e)));
+  }
+  var ct = mimeParse.parseContentType(mimeParse.findHeader(top.headers, "Content-Type") || "");
+  if (ct.type !== "multipart/report") {
+    return _rufError("mail-auth/dmarc-ruf-bad-report",
+      "dmarc.parseForensicReport: top-level Content-Type must be multipart/report (got '" + ct.type + "')");
+  }
+  // RFC 6591 §2 / RFC 5965 §2 — report-type=feedback-report. Tolerate an
+  // omitted report-type (shipping reporters sometimes drop it); refuse a
+  // mismatched value.
+  if (ct.params["report-type"] && ct.params["report-type"].toLowerCase() !== "feedback-report") {
+    return _rufError("mail-auth/dmarc-ruf-bad-report",
+      "dmarc.parseForensicReport: report-type must be feedback-report (got '" +
+      ct.params["report-type"] + "')");
+  }
+  if (!ct.params.boundary) {
+    return _rufError("mail-auth/dmarc-ruf-bad-report",
+      "dmarc.parseForensicReport: multipart/report Content-Type lacks boundary parameter");
+  }
+
+  // ---- Walk the parts; find message/feedback-report + reported msg ----
+  var parts = mimeParse.splitMimeParts(top.body, ct.params.boundary);
+  if (parts.length === 0) {
+    return _rufError("mail-auth/dmarc-ruf-bad-report",
+      "dmarc.parseForensicReport: multipart/report body contains no parts");
+  }
+  if (parts.length > DMARC_RUF_MAX_PARTS) {
+    return _rufError("mail-auth/dmarc-ruf-too-many-parts",
+      "dmarc.parseForensicReport: report has " + parts.length + " parts (cap " +
+      DMARC_RUF_MAX_PARTS + ")");
+  }
+
+  var feedbackPart = null;
+  var reportedPart = null;
+  for (var pi = 0; pi < parts.length; pi += 1) {
+    var split;
+    try { split = mimeParse.splitHeadersAndBody(parts[pi]); }
+    catch (_e) { continue; }
+    var partCt = mimeParse.parseContentType(
+      mimeParse.findHeader(split.headers, "Content-Type") || "");
+    if (partCt.type === "message/feedback-report" && !feedbackPart) {
+      feedbackPart = split;
+    } else if ((partCt.type === "message/rfc822" ||
+                partCt.type === "text/rfc822-headers") && !reportedPart) {
+      reportedPart = split;
+    }
+  }
+  if (!feedbackPart) {
+    return _rufError("mail-auth/dmarc-ruf-no-feedback-report",
+      "dmarc.parseForensicReport: missing message/feedback-report subpart (RFC 6591 §3)");
+  }
+
+  // ---- Parse the feedback-report header block (RFC 6591 §3.1) ----
+  // Field names are stored own-key on a null-prototype map so a hostile
+  // field named __proto__ / constructor can't pollute the prototype.
+  var fields;
+  try { fields = mimeParse.parseHeaderBlock(feedbackPart.body); }
+  catch (e) {
+    return _rufError("mail-auth/dmarc-ruf-bad-report",
+      "dmarc.parseForensicReport: feedback-report field parse failed: " + ((e && e.message) || String(e)));
+  }
+  var fieldMap = Object.create(null);
+  var rcptToList = [];
+  for (var fi = 0; fi < fields.length; fi += 1) {
+    var f = fields[fi];
+    if (!f || typeof f.name !== "string") continue;
+    var lc = f.name.toLowerCase();
+    var val = typeof f.value === "string" ? f.value : "";
+    fieldMap[lc] = val;
+    if (lc === "original-rcpt-to") rcptToList.push(val);
+  }
+  function _field(name) {
+    return Object.prototype.hasOwnProperty.call(fieldMap, name) ? fieldMap[name] : null;
+  }
+
+  // ---- Required fields (RFC 6591 §3.1 / RFC 7489 §7.3) ----
+  for (var ri = 0; ri < DMARC_RUF_REQUIRED_FIELDS.length; ri += 1) {
+    var req = DMARC_RUF_REQUIRED_FIELDS[ri];
+    var rv = _field(req);
+    if (typeof rv !== "string" || rv.length === 0) {
+      if (req === "auth-failure") {
+        return _rufError("mail-auth/dmarc-ruf-missing-auth-failure",
+          "dmarc.parseForensicReport: required field 'Auth-Failure' is missing (RFC 6591 §3.1)");
+      }
+      return _rufError("mail-auth/dmarc-ruf-missing-field",
+        "dmarc.parseForensicReport: required field '" + req + "' is missing (RFC 6591 §3.1)");
+    }
+  }
+
+  // RFC 7489 §7.3 — a DMARC forensic report carries Feedback-Type:
+  // auth-failure (the AFRF profile of RFC 6591). A report whose Feedback-
+  // Type is another ARF class (e.g. plain "abuse") is a valid feedback
+  // report but NOT a DMARC forensic report; surface the mismatch rather
+  // than mislabeling it. Field values are case-insensitive tokens.
+  var feedbackType = String(_field("feedback-type")).toLowerCase();
+  if (feedbackType !== "auth-failure") {
+    return _rufError("mail-auth/dmarc-ruf-not-auth-failure",
+      "dmarc.parseForensicReport: Feedback-Type must be 'auth-failure' for a " +
+      "DMARC forensic report (RFC 7489 §7.3 / RFC 6591), got " +
+      JSON.stringify(_field("feedback-type")));
+  }
+
+  // ---- RFC 6591 §3.2 reported message ----
+  var reportedMessage = null;
+  if (reportedPart) {
+    reportedMessage = (reportedPart.body && reportedPart.body.length > 0)
+      ? reportedPart.body
+      : _reassembleRufPart(reportedPart);
+  }
+  var reported = _parseReportedHeaders(reportedMessage);
+
+  // ---- Normalize Arrival-Date / Incidents (RFC 5965 §3.1) ----
+  var arrivalRaw = _field("arrival-date") || _field("received-date") || null;
+  var arrivalIso = null;
+  if (arrivalRaw) {
+    var d = new Date(arrivalRaw);
+    if (!isNaN(d.getTime())) arrivalIso = d.toISOString();
+  }
+  var incidentsRaw = _field("incidents");
+  var incidents = null;
+  if (typeof incidentsRaw === "string") {
+    var inc = parseInt(incidentsRaw, 10);
+    if (isFinite(inc) && inc >= 0) incidents = inc;
+  }
+
+  // Surface unmodeled fields under extraFields for operator visibility
+  // (vendor X-* tags). Own-key copy off the null-prototype fieldMap onto
+  // a null-prototype target so a field named __proto__ / constructor in a
+  // hostile report is stored as data, not as a prototype mutation.
+  var KNOWN = Object.create(null);
+  ["feedback-type", "user-agent", "version", "auth-failure",
+   "delivery-result", "identity-alignment", "dkim-domain",
+   "dkim-identity", "dkim-selector", "dkim-canonicalized-header",
+   "dkim-canonicalized-body", "spf-dns", "original-mail-from",
+   "original-rcpt-to", "arrival-date", "received-date",
+   "reported-domain", "source-ip", "authentication-results",
+   "reported-uri", "incidents", "original-envelope-id"
+  ].forEach(function (k) { KNOWN[k] = 1; });
+  var extraFields = Object.create(null);
+  Object.keys(fieldMap).forEach(function (k) {
+    if (!Object.prototype.hasOwnProperty.call(KNOWN, k)) extraFields[k] = fieldMap[k];
+  });
+
+  var report = {
+    // ---- RFC 5965 base fields ----
+    feedbackType:          _field("feedback-type"),
+    userAgent:             _field("user-agent"),
+    version:               _field("version") || "1",
+    arrivalDate:           arrivalIso || arrivalRaw,
+    reportedDomain:        _field("reported-domain"),
+    sourceIp:              _field("source-ip"),
+    originalFrom:          _field("original-mail-from"),
+    originalRcptTo:        rcptToList,
+    originalEnvelopeId:    _field("original-envelope-id"),
+    authenticationResults: _field("authentication-results"),
+    incidents:             incidents,
+    reportedUri:           _field("reported-uri"),
+
+    // ---- RFC 6591 §3.1 / RFC 7489 §7.3 forensic-specific fields ----
+    authFailure:           _field("auth-failure"),                              // RFC 6591 §3.1 — "dkim" | "spf" | "dmarc" | "bodyhash" | …
+    deliveryResult:        _field("delivery-result"),                           // RFC 6591 §3.1 — "delivered" | "spam" | "policy" | "reject" | "other"
+    identityAlignment:     _field("identity-alignment"),                        // RFC 7489 §7.3 — "none" | "spf" | "dkim" | "dkim spf"
+    dkim: {
+      domain:              _field("dkim-domain"),                               // RFC 6591 §3.1
+      identity:            _field("dkim-identity"),
+      selector:            _field("dkim-selector"),
+      canonicalizedHeader: _field("dkim-canonicalized-header"),
+      canonicalizedBody:   _field("dkim-canonicalized-body"),
+    },
+    spf: {
+      dns:                 _field("spf-dns"),                                    // RFC 6591 §3.1 — the SPF DNS record at evaluation time
+    },
+
+    // ---- RFC 6591 §3.2 reported message ----
+    reportedMessage:       reportedMessage,
+    reportedHeaders:       reported.headers,                                    // [ { name, value }, … ] — order preserved
+    reportedHeaderMap:     reported.map,                                        // null-prototype lower-cased-name → value
+    reportedHeadersTruncated: reported.truncated,                               // true when the §3.2 header cap clipped the list
+
+    // ---- operator-visible passthrough for unmodeled fields ----
+    extraFields:           extraFields,
+  };
+
+  return { ok: true, report: report };
+}
+
 module.exports = {
   spf: Object.freeze({
     verify:        spfVerify,
@@ -2625,6 +2957,7 @@ module.exports = {
     parseRecord:              _parseDmarcRecord,
     parseAggregateReport:     dmarcParseAggregateReport,
     buildAggregateReport:     dmarcBuildAggregateReport,
+    parseForensicReport:      dmarcParseForensicReport,
   }),
   arc: Object.freeze({
     verify:        arcVerify,

package/lib/middleware/fetch-metadata.js

@@ -43,6 +43,52 @@ var observability = lazyRequire(function () { return require("../observability")
 
 var DEFAULT_METHODS = Object.freeze(["POST", "PUT", "DELETE", "PATCH"]);
 
+// Sec-Fetch-Dest request-destination vocabulary (Fetch Standard §3.2.6
+// "destination", https://fetch.spec.whatwg.org/#concept-request-destination;
+// surfaced as the Sec-Fetch-Dest header by the Fetch Metadata Request
+// Headers spec, https://www.w3.org/TR/fetch-metadata/#sec-fetch-dest-header).
+// "webidentity" (FedCM credentialed-request destination,
+// https://w3c.github.io/FedCM/) is included so an operator can recognize
+// and gate FedCM traffic first-class — a webidentity Sec-Fetch-Dest on a
+// route that is not a FedCM identity endpoint is a request worth refusing.
+var KNOWN_DESTINATIONS = Object.freeze([
+  "audio", "audioworklet", "document", "embed", "empty", "fencedframe",
+  "font", "frame", "iframe", "image", "json", "manifest", "object",
+  "paintworklet", "report", "script", "serviceworker", "sharedworker",
+  "style", "track", "video", "webidentity", "worker", "xslt",
+]);
+var KNOWN_DEST_SET = Object.create(null);
+(function () {
+  for (var i = 0; i < KNOWN_DESTINATIONS.length; i += 1) {
+    KNOWN_DEST_SET[KNOWN_DESTINATIONS[i]] = true;
+  }
+})();
+
+// Sec-Fetch-Storage-Access status values (Storage Access API,
+// https://privacycg.github.io/storage-access-headers/ — the header is
+// distinct from Sec-Fetch-Dest). The browser sends this only on cross-site
+// credentialed requests. "active" / "inactive" both indicate the embedded
+// context can (active) or could (inactive, permission granted but not yet
+// exercised) reach unpartitioned cross-site cookies; "none" carries no
+// such capability. A route that does not participate in the Storage Access
+// flow may refuse the active/inactive escalation.
+var STORAGE_ACCESS_ESCALATED = Object.freeze({ active: true, inactive: true });
+
+function _validateDestList(list, label) {
+  // Config-time tier — an unknown Sec-Fetch-Dest value in a strict
+  // allow/deny list is almost always an operator typo (e.g. "web-identity"
+  // for "webidentity"). Throw at boot per the config/entry-point tier so
+  // the typo surfaces before it silently fails to match at request time.
+  if (!Array.isArray(list)) return;
+  for (var i = 0; i < list.length; i += 1) {
+    if (!KNOWN_DEST_SET[list[i]]) {
+      throw new Error("middleware.fetchMetadata: " + label + "[" + i +
+        "] is not a known Sec-Fetch-Dest value (got '" + String(list[i]) +
+        "'). Known destinations: " + KNOWN_DESTINATIONS.join(", ") + ".");
+    }
+  }
+}
+
 function _writeReject(req, res, message, reason, onDeny, problemMode) {
   denyResponse(req, res, {
     onDeny:        onDeny,
@@ -75,17 +121,30 @@ function _writeReject(req, res, message, reason, onDeny, problemMode) {
  * the value-add; non-browser callers carry their own auth threat
  * model.
  *
+ * The Sec-Fetch-Dest vocabulary tracks the Fetch Standard request-
+ * destination list, including `webidentity` (FedCM credentialed
+ * requests). `deniedDest` refuses chosen destinations outright on the
+ * gated methods — a FedCM `webidentity` Sec-Fetch-Dest hitting a route
+ * that is not an identity endpoint is refused. `allowStorageAccess:
+ * false` refuses the Storage Access API escalation (a cross-site request
+ * carrying `Sec-Fetch-Storage-Access: active` / `inactive`) on routes
+ * that do not participate in the Storage Access flow. Both are opt-in;
+ * leaving them unset preserves the prior behavior exactly.
+ *
  * @opts
  *   {
- *     allowSameSite:   boolean,    // default true
- *     allowCrossSite:  boolean,    // default false
- *     allowMissing:    boolean,    // default true
- *     allowedDest:     string[],
- *     allowedNavigate: boolean,    // default true
- *     methods:         string[],   // default POST/PUT/DELETE/PATCH
- *     audit:           boolean,    // default true
- *     onDeny:          function(req, res, info): void,  // own the 403; info = { status, reason }
- *     problemDetails:  boolean,    // default false — emit RFC 9457 application/problem+json instead of the default JSON envelope
+ *     allowSameSite:      boolean,    // default true
+ *     allowCrossSite:     boolean,    // default false
+ *     allowMissing:       boolean,    // default true
+ *     allowedDest:        string[],   // cross-site allowlist of Sec-Fetch-Dest values
+ *     deniedDest:         string[],   // Sec-Fetch-Dest values refused on gated methods regardless of site (e.g. ["webidentity"])
+ *     allowStorageAccess: boolean,    // default true — false refuses Sec-Fetch-Storage-Access: active|inactive
+ *     strictDest:         boolean,    // default false — true throws at config time on an allowedDest/deniedDest value outside the known Sec-Fetch-Dest vocabulary
+ *     allowedNavigate:    boolean,    // default true
+ *     methods:            string[],   // default POST/PUT/DELETE/PATCH
+ *     audit:              boolean,    // default true
+ *     onDeny:             function(req, res, info): void,  // own the 403; info = { status, reason }
+ *     problemDetails:     boolean,    // default false — emit RFC 9457 application/problem+json instead of the default JSON envelope
  *   }
  *
  * @example
@@ -102,15 +161,34 @@ function create(opts) {
   opts = opts || {};
   validateOpts(opts, [
     "allowSameSite", "allowCrossSite", "allowMissing",
-    "allowedDest", "allowedNavigate", "methods", "audit", "onDeny", "problemDetails",
+    "allowedDest", "deniedDest", "allowStorageAccess", "strictDest",
+    "allowedNavigate", "methods", "audit", "onDeny", "problemDetails",
   ], "middleware.fetchMetadata");
+  validateOpts.optionalBoolean(opts.allowStorageAccess, "middleware.fetchMetadata: allowStorageAccess");
+  validateOpts.optionalBoolean(opts.strictDest, "middleware.fetchMetadata: strictDest");
+  validateOpts.optionalNonEmptyStringArray(opts.deniedDest, "middleware.fetchMetadata: deniedDest");
+  if (opts.strictDest === true) {
+    _validateDestList(opts.allowedDest, "allowedDest");
+    _validateDestList(opts.deniedDest, "deniedDest");
+  }
 
   var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
   var problemMode = opts.problemDetails === true;
-  var allowSameSite   = opts.allowSameSite !== false;
-  var allowCrossSite  = opts.allowCrossSite === true;
-  var allowMissing    = opts.allowMissing !== false;
-  var allowedDest     = Array.isArray(opts.allowedDest)    ? opts.allowedDest.slice()    : null;
+  var allowSameSite      = opts.allowSameSite !== false;
+  var allowCrossSite     = opts.allowCrossSite === true;
+  var allowMissing       = opts.allowMissing !== false;
+  var allowedDest        = Array.isArray(opts.allowedDest)    ? opts.allowedDest.slice()    : null;
+  var allowStorageAccess = opts.allowStorageAccess !== false;
+  // deniedDest → a null-prototype membership map; an operator-supplied
+  // destination string is never assigned onto a plain object, so no
+  // reserved name (__proto__ / constructor / prototype) can pollute it.
+  var deniedDest = null;
+  if (Array.isArray(opts.deniedDest) && opts.deniedDest.length > 0) {
+    deniedDest = Object.create(null);
+    for (var di = 0; di < opts.deniedDest.length; di += 1) {
+      deniedDest[opts.deniedDest[di]] = true;
+    }
+  }
   var allowedNavigate = opts.allowedNavigate !== false;
   var methods         = (opts.methods || DEFAULT_METHODS).map(function (m) { return m.toUpperCase(); });
   var auditOn         = opts.audit !== false;
@@ -139,6 +217,16 @@ function create(opts) {
     var mode = headers["sec-fetch-mode"];
     var dest = headers["sec-fetch-dest"];
 
+    // Destination refusal — independent of site. A FedCM `webidentity`
+    // (or any operator-denied) Sec-Fetch-Dest on a route that is not an
+    // identity endpoint is refused outright. The membership test is exact
+    // (null-prototype map keyed on the verbatim header value), never a
+    // substring scan.
+    if (deniedDest && typeof dest === "string" && deniedDest[dest] === true) {
+      _emitDenied(req, "dest-denied (dest=" + dest + ")");
+      return _writeReject(req, res, "Request destination not allowed for this route.", "dest-not-allowed", onDeny, problemMode);
+    }
+
     if (typeof site !== "string" || site.length === 0) {
       // No Sec-Fetch-Site header — legacy browser or non-browser client.
       // Defer to other auth/CSRF layers per allowMissing.
@@ -165,6 +253,19 @@ function create(opts) {
     }
 
     // cross-site
+    // Storage Access API escalation — the browser sends
+    // Sec-Fetch-Storage-Access only on cross-site credentialed requests.
+    // active|inactive both mean the embedded context can / could reach
+    // unpartitioned cross-site cookies; refuse it on routes that do not
+    // participate in the Storage Access flow. Exact membership, never a
+    // substring scan. Checked before the allowCrossSite shortcut so the
+    // escalation is gated even when cross-site is otherwise permitted.
+    var storageAccess = headers["sec-fetch-storage-access"];
+    if (!allowStorageAccess && typeof storageAccess === "string" &&
+        STORAGE_ACCESS_ESCALATED[storageAccess] === true) {
+      _emitDenied(req, "storage-access-refused (status=" + storageAccess + ")");
+      return _writeReject(req, res, "Storage Access escalation not allowed for this route.", "storage-access-refused", onDeny, problemMode);
+    }
     if (allowCrossSite) return next();
     if (allowedDest && typeof dest === "string" && allowedDest.indexOf(dest) !== -1) {
       return next();

package/lib/middleware/security-headers.js

@@ -34,6 +34,18 @@
  *     dnsPrefetchControl:   'off' (default) or 'on' or false
  *     csp:                  '<full CSP string>' or false to disable
  *   }
+ *
+ * Monitor-mode opt-ins (all default-off; unset emits no new header):
+ *
+ *   coopReportOnly / coepReportOnly / documentPolicyReportOnly — set a
+ *     policy string to emit the matching `*-Report-Only` header so the
+ *     operator can roll out the enforcing policy in monitor mode first.
+ *     The browser reports violations (to a Reporting-Endpoints group named
+ *     in the value, e.g. `same-origin; report-to="coop"`) without blocking.
+ *   requireDocumentPolicy — the embedder-required Document-Policy a
+ *     subframe must advertise before this document will embed it.
+ *   serviceWorkerAllowed — broadens the max scope a service worker
+ *     registered from this script may claim (the operator opts in).
  */
 
 var requestHelpers = require("../request-helpers");
@@ -186,6 +198,11 @@ function _validatePermissionsPolicy(value) {
  *     criticalCh:         string|false,
  *     reportingEndpoints: object,
  *     trustProxy:         boolean|number,
+ *     coopReportOnly:           string,  // default: off — monitor-mode COOP
+ *     coepReportOnly:           string,  // default: off — monitor-mode COEP
+ *     documentPolicyReportOnly: string,  // default: off — monitor-mode Document-Policy
+ *     requireDocumentPolicy:    string,  // default: off — embedder-required subframe policy
+ *     serviceWorkerAllowed:     string,  // default: off — broadens SW registration scope
  *   }
  *
  * @example
@@ -202,6 +219,8 @@ function create(opts) {
     "permissionsPolicy", "coop", "coep", "corp",
     "originAgentCluster", "dnsPrefetchControl", "csp", "trustProxy",
     "reportingEndpoints", "documentPolicy", "criticalCh", "acceptCh",
+    "coopReportOnly", "coepReportOnly", "documentPolicyReportOnly",
+    "requireDocumentPolicy", "serviceWorkerAllowed",
   ], "middleware.securityHeaders");
   if (opts.permissionsPolicy && typeof opts.permissionsPolicy === "string") {
     _validatePermissionsPolicy(opts.permissionsPolicy);
@@ -222,6 +241,26 @@ function create(opts) {
   var docPolicy = opts.documentPolicy === undefined ? DEFAULT_DOCUMENT_POLICY : opts.documentPolicy;
   var criticalCh = opts.criticalCh && typeof opts.criticalCh === "string" ? opts.criticalCh : false;
   var acceptCh   = opts.acceptCh   && typeof opts.acceptCh   === "string" ? opts.acceptCh   : false;
+  // Monitor-mode + scope opt-ins — all default-off. Each only emits its
+  // header when the operator passes a non-empty string; unset = silent.
+  //   coopReportOnly / coepReportOnly — WHATWG HTML cross-origin isolation
+  //     report-only variants: the UA evaluates the policy and reports
+  //     violations to the named Reporting-Endpoints group without
+  //     enforcing, so an operator can verify a same-origin / require-corp
+  //     rollout won't break embeds before flipping the enforcing header.
+  //   documentPolicyReportOnly — W3C Document Policy report-only variant
+  //     (same monitor-mode semantics for the Document-Policy feature set).
+  //   requireDocumentPolicy — W3C Document Policy: the policy a subframe
+  //     must itself advertise (via Document-Policy) before this document
+  //     will embed it; the embedder declares its floor.
+  //   serviceWorkerAllowed — W3C Service Workers §Service-Worker-Allowed:
+  //     widens the max scope a worker registered from this script may
+  //     claim beyond the script's own path. Operator opts in explicitly.
+  var coopReportOnly = opts.coopReportOnly && typeof opts.coopReportOnly === "string" ? opts.coopReportOnly : false;
+  var coepReportOnly = opts.coepReportOnly && typeof opts.coepReportOnly === "string" ? opts.coepReportOnly : false;
+  var docPolicyReportOnly = opts.documentPolicyReportOnly && typeof opts.documentPolicyReportOnly === "string" ? opts.documentPolicyReportOnly : false;
+  var requireDocPolicy = opts.requireDocumentPolicy && typeof opts.requireDocumentPolicy === "string" ? opts.requireDocumentPolicy : false;
+  var serviceWorkerAllowed = opts.serviceWorkerAllowed && typeof opts.serviceWorkerAllowed === "string" ? opts.serviceWorkerAllowed : false;
   // Reporting-Endpoints (W3C Reporting API) — when operator passes a
   // map of endpoint-name → URL, we emit `Reporting-Endpoints: name="url",
   // name2="url2", ...` and (when default CSP is in force) append
@@ -273,6 +312,14 @@ function create(opts) {
     if (acceptCh)           res.setHeader("Accept-CH", acceptCh);
     if (criticalCh)         res.setHeader("Critical-CH", criticalCh);
     if (reportingEndpoints) res.setHeader("Reporting-Endpoints", reportingEndpoints);
+    // Monitor-mode + scope opt-ins — emitted only when the operator set
+    // the corresponding opt; the enforcing COOP/COEP/Document-Policy
+    // headers above are unaffected.
+    if (coopReportOnly)       res.setHeader("Cross-Origin-Opener-Policy-Report-Only", coopReportOnly);
+    if (coepReportOnly)       res.setHeader("Cross-Origin-Embedder-Policy-Report-Only", coepReportOnly);
+    if (docPolicyReportOnly)  res.setHeader("Document-Policy-Report-Only", docPolicyReportOnly);
+    if (requireDocPolicy)     res.setHeader("Require-Document-Policy", requireDocPolicy);
+    if (serviceWorkerAllowed) res.setHeader("Service-Worker-Allowed", serviceWorkerAllowed);
     next();
   };
 }