You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/docs/defenses/opt-in/corp.md
+3-6Lines changed: 3 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,13 +12,10 @@ Cross-Origin Resource Policy (CORP) is a web platform security feature that allo
12
12
13
13
If an application sets a certain resource CORP header as 'same-site' or 'same-origin', an attacker is incapable of reading that resource. This is a very strong and highly encouraged protection.
14
14
15
-
{{< hint warning >}}
16
-
CORP does not protect against navigational requests. This means that in browsers that do not support out-of-process iframes, a CORP-protected resource may still end up in another origin's process if [framing protections]({{< ref "../opt-in/xfo.md" >}}) are not used.
17
-
{{< /hint >}}
15
+
When using CORP, be aware of the following facts:
18
16
19
-
{{< hint warning >}}
20
-
This mechanism introduces [a new XS-Leak]({{< ref "../../attacks/browser-features/corp.md" >}}), which allows attackers to detect whether CORP was enforced in a certain request.
21
-
{{< /hint >}}
17
+
* CORP does not protect against navigational requests. This means that in browsers that do not support out-of-process iframes, a CORP-protected resource may still end up in another origin's process if [framing protections]({{< ref "../opt-in/xfo.md" >}}) are not used.
18
+
* The use of CORP introduces [a new XS-Leak]({{< ref "../../attacks/browser-features/corp.md" >}}), which allows attackers to detect whether CORP was enforced in a certain request.
0 commit comments