Cross-Origin-Resource-Policy

[Malvoz]

There's a relatively new HTTP header called Cross-Origin-Resource-Policy which Helmet could utilize.

MDN docs:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy

Now I'm not sure how it affects or if it takes precedence (when applicable) over X-Frame-Options, CSP's frame-ancestors and X-Permitted-Cross-Domain-Policies.

Browser support bugs can be found here: Fyrd/caniuse#4355

[EvanHahn]

I'll take a look at this! Thank you.

[EvanHahn]

This is definitely something to keep an eye on, though I want to wait on this in case the spec changes. It seems unstable at the moment.

[EvanHahn]

Until it's added to Helmet, you can add it to your Express apps with just a few lines:

app.use(function (req, res, next) {
  res.setHeader('Cross-Origin-Resource-Policy', 'same-site')
  next()
})

[EvanHahn]

I just published cross-origin-resource-policy@0.1.0 to npm, which you can learn more about here. It's not part of mainline Helmet so it'll need to be installed separately for now.

After browser support improves, I'll add it to Helmet.

[mscottnelson]

I see that you just wrote that on Sep 8. Safari (both desktop and iOS) added support for this policy on Sep 18. Although it is still a new feature on some platforms, all major browsers now support it. Don't know what your threshold is, just wanted to make sure you were aware.

[EvanHahn]

Hmm, I didn't see it listed on caniuse.com and some of the reported bugs didn't look resolved (in Firefox and Edge). Am I missing something?

[mscottnelson]

My apologies. I was working on implementing a number of security features and somehow conflated this header with the SameSite cookie attribute when I made that comment. Carry on.

[EvanHahn]

No worries! Always good to check.

[rajeshsusai]

Hi, looks like Chrome 80 is looking to enforce CORP: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

Are there plans to add Cross-Origin-Resource-Policy to helmet soon?

[Malvoz]

@rajeshsusai that link only talks about SameSite cookies, and not the Cross-Origin-Resource-Policy HTTP header. CORP has been available in Chrome since v73.

[EvanHahn]

I'm not sure I understand the explainer. Can someone link me to something that can help me understand this header and the kinds of problems it prevents?

[jraoult]

@EvanHahn I found this ystd, it might help (https://youtu.be/vfAHa5GBLio?t=1217)

[EvanHahn]

I've added support for Cross-Origin-Resource-Policy (among other Cross-Origin- headers) in v4.5.0-rc.1.

You can install with npm install helmet@4.5.0-rc.1, see the docs for 4.5.x on GitHub, and the pull request at #296.

Please try it and give me feedback! I will plan to release on April 17/18 unless something disrupts that, such as significant errors in my implementation.

[EvanHahn]

This was released in helmet@4.5.0. Check out the documentation to see how to use the header.