-
Notifications
You must be signed in to change notification settings - Fork 606
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider asserting a Cross-Origin-Resource-Policy
?
#57
Comments
Thanks for the report. Is there a more detailed write-up on these new changes that's approachable to the general public? https://code.jquery.com/ is quite a small CDN, only hosting files for jQuery projects. Could such changes be first adopted by some larger CDNs that are well staffed & can react to potential issues quicker, like the ones by Google or Microsoft? |
https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit#bookmark=id.kaco6v4zwnx2 is part of an explainer for the general approach browsers are taking (. We aim to get an article out onto
"small" is relative. :) Digging through HTTP Archive, I see ~158k sites depending on a script resource of some sort from
I understand your risk-aversion, and it's not unreasonable. This should be a no-op for browsers generally, and I'm poking folks at CDNs, large and small. It's not a change you need to make tomorrow, and waiting for someone else to go first is probably fine. But I expect folks who rely on your CDN will start asking y'all to roll out CORP as browsers begin restricting |
Thanks for the heads up, I appreciate it! I'll keep this in mind but I'll try to understand the topic a bit better first. :) |
If you have any questions, I'd be happy to try to answer them. :) |
FYI: BootstrapCDN rolled this out last week (jsdelivr/bootstrapcdn#1495). Thus far, nothing's exploded. :) |
Friendly ping. I'd also point to https://resourcepolicy.fyi/ as hopefully helpful context. :) |
@mikewest Sorry, I'm quite busy with lots of other stuff at the moment, it's not likely I'll have time to look into it within the next few weeks. |
@mikewest wrote at MaxCDN/bootstrapcdn#1495:
|
This will need to be done on the jquery/infrastructure side. I've filed a ticket jquery/infrastructure-puppet#7. |
Hey folks! Bootstrap rolled this out in April (jsdelivr/bootstrapcdn#1495). JSDelivr rolled it out last month (jsdelivr/jsdelivr#18201). I'd appreciate y'all taking another look to see if you can squeeze this onto your roadmap. Thanks! |
Hey folks! Hopefully this is a reasonable repository for requests like this one. :)
Cross-Origin-Resource-Policy
(CORP) is an HTTP response header that asserts a scope in which a given resource is allowed to be embedded. Today, the default for all resources is to allow cross-site loads, which unfortunately creates the conditions for side-channel attacks via Spectre, et al. With this background, browser vendors are interested in changing this default generally in the long-term, and in the short-term will allow developers to require explicit opt-in viaCross-Origin-Embedder-Policy
. This opt-in will be a prerequisite for some particularly interesting APIs likeSharedArrayBuffer
.To support this migration, it would be ideal if y'all could begin adding this assertion explicitly to resources that are expected to be used by various sites out there on the internet (e.g. by sending a
Cross-Origin-Resource-Policy: cross-origin
header). This should be a no-op in the status quo, and will ensure that y'all aren't blocking developers from opting-intoCross-Origin-Embedder-Policy
(and therefore exciting new APIs).If there's any more context I can give you about this set of features, I'd be happy to chat!
The text was updated successfully, but these errors were encountered: