-
-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider asserting a Cross-Origin-Resource-Policy
?
#13782
Comments
Makes sense to me. @xtuc can you help make this happen? |
FYI: BootstrapCDN rolled this out last week (jsdelivr/bootstrapcdn#1495). Thus far, nothing's exploded. :) |
Always a good sign. 😂 @xtuc is it worth compiling a list of all header changes from this issue & others, so that they can all be sent across to have the changes made? |
Friendly ping. I'd also point to https://resourcepolicy.fyi/ as hopefully helpful context. :) |
Sorry for the delay, I'm going to look into it. |
Hey folks! Bootstrap rolled this out in April (jsdelivr/bootstrapcdn#1495). JSDelivr rolled it out last month (jsdelivr/jsdelivr#18201). I'd appreciate y'all taking another look to see if you can squeeze this onto your roadmap. Thanks! |
Today Chrome started blocking my CORS requests to cdnjs because of the lack of the Update: It seems to have been a change on itch.io servers, not Chrome, since they started specifying |
https://resourcepolicy.fyi/#corp-and-isolation outlines the expected interaction between In the short-term, @rubenlg, you should be able to shift to CORS-enabled requests by adding |
Thanks @mikewest, that's very useful! As an alternative for others landing on this issue, I ended up shipping the library alongside the game, rather than pulling it from cdnjs. Incidentally, it also makes the game slightly faster to load, since there is no need for extra DNS lookups. |
@mikewest sorry for the delay. We started deploying this change in a few locations. |
This is great to hear, thank you! |
Looping in to add some support for the request to support the CORP Header on all assets!
I'm writing a blog and listing CDNs that already provide this so it'd be great to add cdnjs! |
Hey Scott! We're currently rolling this out to a few edge locations and will continue to do so over the next few days. We currently serve the ACAO header on the following assets, and will also serve the CORP header going forward:
The following extensions are served by the CDN but won't have an ACAO/CORP response:
Do let me know if you think other extensions should be added (or if just serving it on everything would be advisable). |
Pages that opt-into cross-origin isolation will block any response that doesn't explicitly allow itself to be embedded via either CORP or CORS (https://resourcepolicy.fyi/#corp-and-isolation has some more detail, as does https://web.dev/coop-coep/). If you expect resources with these extensions to be used cross-origin, it seems reasonable to allow them to be loaded via appropriate ACAO and CORP headers. Of the file extensions you've pointed to that aren't allowed via CORS or CORP, the image types ( JSON is interesting, as the answer somewhat depends upon what the JSON represents. If it's static data that doesn't reveal anything about a given user, then ACAO/CORP seem reasonable. If it's personalized data, then granular ACLs via CORS seem like the right choice. |
Yeah, everything on the CDN is completely public, nothing user-specific, so adding ACAO/CORP to all our responses seems sensible as part of this roll-out (I think we'll likely get CORP out on the extensions we already serve ACAO on first, then do a second roll-out to enable ACAO/CORP on everything). |
That sounds good to me. Thank you for following up! |
CORP header now added to all existing assets that had existing ACAO header. |
CORS and CORP headers are now send for all file types (except for .swf). I'm going ahead and close this issue. |
Hey folks! Hopefully this is a reasonable repository for requests like this one. :)
Cross-Origin-Resource-Policy
(CORP) is an HTTP response header that asserts a scope in which a given resource is allowed to be embedded. Today, the default for all resources is to allow cross-site loads, which unfortunately creates the conditions for side-channel attacks via Spectre, et al. With this background, browser vendors are interested in changing this default generally in the long-term, and in the short-term will allow developers to require explicit opt-in viaCross-Origin-Embedder-Policy
. This opt-in will be a prerequisite for some particularly interesting APIs likeSharedArrayBuffer
.To support this migration, it would be ideal if y'all could begin adding this assertion explicitly to resources that are expected to be used by various sites out there on the internet (e.g. by sending a
Cross-Origin-Resource-Policy: cross-origin
header). This should be a no-op in the status quo, and will ensure that y'all aren't blocking developers from opting-intoCross-Origin-Embedder-Policy
(and therefore exciting new APIs).If there's any more context I can give you about this set of features, I'd be happy to chat!
The text was updated successfully, but these errors were encountered: