-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FAQ: How to use this for hotlinking protection #27
Comments
Yes -- in fact, that was one of the main ideas behind the approach based on request headers.
Not really. CORP doesn't offer the same protections as restrictions based on
Same as above. For some apps, we're hoping to use both server-side and client-side restrictions against iframing, i.e. in addition to sending
This is also one of the main motivations of this feature :) We tried to capture some of this in https://arturjanc.com/cross-origin-infoleaks.pdf though it probably doesn't go into sufficient detail... |
Brian, I'm going to close this out, as I don't think there's a concrete addition to the spec that would fall out of it. If you disagree, please do reopen and help me out with some text that you think could clarify things! |
(Note the issue isn't what the feature is intended to do, but what it is capable of doing.)
A quick reading of the documentation for this suggests that it could be used to prevent hotlinking of images, video, etc. by rejecting requests for such content that don't have
site=same-site
orsite=same-origin
. Does this work? In particular, would this have the the effect asCross-Origin-Resource-Policy: same-site
orCross-Origin-Resource-Policy: same-origin
, but with the added benefit that the server can avoid sending a the content in a response that would otherwise be ignored under the analogousCross-Origin-Resource-Policy
?If so, then a follow-up FAQ question: Is
Cross-Origin-Resource-Policy
redundant and strictly worse than doing such enforcement usingSec-Metadata
? (The FAQ asks the opposite question.)Another follow-up question: Similarly, is this a better replacement for CSP frame-ancestors and X-Frame-Options? (#10 (comment) mentions
X-Frame-Options
but the FAQ doesn't.)The type of problems I am interested in solving: (1) Reducing DoS risks for underpowered servers that usually serve lightweight traffic but occasionally need to serve expensive resources. (2) minimizing side-channel leakage from cross-site/origin requests by preventing the response from being generated on the server in the first place and preventing it from being sent on the wire, which
Cross-Origin-Resource-Policy
does not do.The text was updated successfully, but these errors were encountered: