New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross-Origin-Resource-Policy #176
Comments
I'll take a look at this! Thank you. |
This is definitely something to keep an eye on, though I want to wait on this in case the spec changes. It seems unstable at the moment. |
Until it's added to Helmet, you can add it to your Express apps with just a few lines: app.use(function (req, res, next) {
res.setHeader('Cross-Origin-Resource-Policy', 'same-site')
next()
}) |
I just published After browser support improves, I'll add it to Helmet. |
I see that you just wrote that on Sep 8. Safari (both desktop and iOS) added support for this policy on Sep 18. Although it is still a new feature on some platforms, all major browsers now support it. Don't know what your threshold is, just wanted to make sure you were aware. |
Hmm, I didn't see it listed on caniuse.com and some of the reported bugs didn't look resolved (in Firefox and Edge). Am I missing something?
|
My apologies. I was working on implementing a number of security features and somehow conflated this header with the SameSite cookie attribute when I made that comment. Carry on. |
No worries! Always good to check.
|
Hi, looks like Chrome 80 is looking to enforce CORP: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html Are there plans to add Cross-Origin-Resource-Policy to helmet soon? |
@rajeshsusai that link only talks about |
I'm not sure I understand the explainer. Can someone link me to something that can help me understand this header and the kinds of problems it prevents? |
@EvanHahn I found this ystd, it might help (https://youtu.be/vfAHa5GBLio?t=1217) |
(until supported via helmetjs/helmet#176)
I've added support for You can install with Please try it and give me feedback! I will plan to release on April 17/18 unless something disrupts that, such as significant errors in my implementation. |
This was released in |
There's a relatively new HTTP header called
Cross-Origin-Resource-Policy
which Helmet could utilize.MDN docs:
Now I'm not sure how it affects or if it takes precedence (when applicable) over
X-Frame-Options
, CSP'sframe-ancestors
andX-Permitted-Cross-Domain-Policies
.Browser support bugs can be found here: Fyrd/caniuse#4355
The text was updated successfully, but these errors were encountered: