Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider asserting a Cross-Origin-Resource-Policy? #13782

Closed
mikewest opened this issue Apr 1, 2020 · 19 comments
Closed

Consider asserting a Cross-Origin-Resource-Policy? #13782

mikewest opened this issue Apr 1, 2020 · 19 comments

Comments

@mikewest
Copy link

mikewest commented Apr 1, 2020

Hey folks! Hopefully this is a reasonable repository for requests like this one. :)

Cross-Origin-Resource-Policy (CORP) is an HTTP response header that asserts a scope in which a given resource is allowed to be embedded. Today, the default for all resources is to allow cross-site loads, which unfortunately creates the conditions for side-channel attacks via Spectre, et al. With this background, browser vendors are interested in changing this default generally in the long-term, and in the short-term will allow developers to require explicit opt-in via Cross-Origin-Embedder-Policy. This opt-in will be a prerequisite for some particularly interesting APIs like SharedArrayBuffer.

To support this migration, it would be ideal if y'all could begin adding this assertion explicitly to resources that are expected to be used by various sites out there on the internet (e.g. by sending a Cross-Origin-Resource-Policy: cross-origin header). This should be a no-op in the status quo, and will ensure that y'all aren't blocking developers from opting-into Cross-Origin-Embedder-Policy (and therefore exciting new APIs).

If there's any more context I can give you about this set of features, I'd be happy to chat!

@MattIPv4
Copy link
Member

MattIPv4 commented Apr 1, 2020

Makes sense to me. @xtuc can you help make this happen?

@mikewest
Copy link
Author

mikewest commented Apr 6, 2020

FYI: BootstrapCDN rolled this out last week (jsdelivr/bootstrapcdn#1495). Thus far, nothing's exploded. :)

@MattIPv4
Copy link
Member

MattIPv4 commented Apr 6, 2020

Thus far, nothing's exploded.

Always a good sign. 😂

@xtuc is it worth compiling a list of all header changes from this issue & others, so that they can all be sent across to have the changes made?

@mikewest
Copy link
Author

Friendly ping. I'd also point to https://resourcepolicy.fyi/ as hopefully helpful context. :)

@xtuc
Copy link
Member

xtuc commented Apr 28, 2020

Sorry for the delay, I'm going to look into it.

@mikewest
Copy link
Author

mikewest commented Sep 2, 2020

Hey folks! Bootstrap rolled this out in April (jsdelivr/bootstrapcdn#1495). JSDelivr rolled it out last month (jsdelivr/jsdelivr#18201). I'd appreciate y'all taking another look to see if you can squeeze this onto your roadmap.

Thanks!

@MattIPv4
Copy link
Member

MattIPv4 commented Sep 2, 2020

@tc80 @xtuc Could we please look to address this, as well as other config changes? (#11202, #13611, #8972)

@rubenlg
Copy link

rubenlg commented Nov 2, 2020

Today Chrome started blocking my CORS requests to cdnjs because of the lack of the cross-origin-resource-policy header.

Update: It seems to have been a change on itch.io servers, not Chrome, since they started specifying cross-origin-embedder-policy for web-games. So web games on itch.io which pull resources from cdnjs might be broken right now.

@mikewest
Copy link
Author

mikewest commented Nov 9, 2020

https://resourcepolicy.fyi/#corp-and-isolation outlines the expected interaction between cross-origin-embedder-policy and the cross-origin-resource-policy header described in this issue. Firefox currently requires COEP (and COOP) to make use of features like SharedArrayBuffer. Chrome is going to follow suit. It would be helpful for CDNs like CDNjs to do the same. :)

In the short-term, @rubenlg, you should be able to shift to CORS-enabled requests by adding crossorigin=anonymous to your <script> tags. Since CDNjs sends Access-Control-Allow-Origin: *, you should be good to go.

@rubenlg
Copy link

rubenlg commented Nov 9, 2020

Thanks @mikewest, that's very useful!

As an alternative for others landing on this issue, I ended up shipping the library alongside the game, rather than pulling it from cdnjs.

Incidentally, it also makes the game slightly faster to load, since there is no need for extra DNS lookups.

@xtuc
Copy link
Member

xtuc commented Nov 18, 2020

@mikewest sorry for the delay. We started deploying this change in a few locations.

@mikewest
Copy link
Author

@mikewest sorry for the delay. We started deploying this change in a few locations.

This is great to hear, thank you!

@ScottHelme
Copy link

Looping in to add some support for the request to support the CORP Header on all assets!

Cross-Origin-Resource-Policy: cross-origin

I'm writing a blog and listing CDNs that already provide this so it'd be great to add cdnjs!

@MattIPv4
Copy link
Member

Hey Scott!

We're currently rolling this out to a few edge locations and will continue to do so over the next few days.

We currently serve the ACAO header on the following assets, and will also serve the CORP header going forward:

  • js
  • css
  • png
  • svg
  • ttf
  • eot
  • woff
  • woff2
  • otf
  • map
  • wasm
  • mjs
  • avif

The following extensions are served by the CDN but won't have an ACAO/CORP response:

  • gif
  • jpg
  • jpeg
  • swf
  • cur
  • mp3
  • ogg
  • aac
  • scss
  • webp
  • json
  • ts
  • hpb
  • lang

Do let me know if you think other extensions should be added (or if just serving it on everything would be advisable).

@mikewest
Copy link
Author

The following extensions are served by the CDN but won't have an ACAO/CORP response: ...

Pages that opt-into cross-origin isolation will block any response that doesn't explicitly allow itself to be embedded via either CORP or CORS (https://resourcepolicy.fyi/#corp-and-isolation has some more detail, as does https://web.dev/coop-coep/). If you expect resources with these extensions to be used cross-origin, it seems reasonable to allow them to be loaded via appropriate ACAO and CORP headers.

Of the file extensions you've pointed to that aren't allowed via CORS or CORP, the image types (gif, jpg, jpeg, webp) and media types (cur, mp3, ogg, aac) seem like reasonable priorities to which to add headers. Others aren't directly supported by browsers (swf, scss, ts, hpb, lang), but you could imagine userland-based usage, which would require CORS.

JSON is interesting, as the answer somewhat depends upon what the JSON represents. If it's static data that doesn't reveal anything about a given user, then ACAO/CORP seem reasonable. If it's personalized data, then granular ACLs via CORS seem like the right choice.

@MattIPv4
Copy link
Member

Yeah, everything on the CDN is completely public, nothing user-specific, so adding ACAO/CORP to all our responses seems sensible as part of this roll-out (I think we'll likely get CORP out on the extensions we already serve ACAO on first, then do a second roll-out to enable ACAO/CORP on everything).

@mikewest
Copy link
Author

That sounds good to me. Thank you for following up!

@dotjs
Copy link

dotjs commented Nov 20, 2020

CORP header now added to all existing assets that had existing ACAO header.

@xtuc
Copy link
Member

xtuc commented Nov 20, 2020

CORS and CORP headers are now send for all file types (except for .swf). I'm going ahead and close this issue.

@xtuc xtuc closed this as completed Nov 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants