Consider asserting a Cross-Origin-Resource-Policy?

[mikewest]

Hey folks! Hopefully this is a reasonable repository for requests like this one. :)

Cross-Origin-Resource-Policy (CORP) is an HTTP response header that asserts a scope in which a given resource is allowed to be embedded. Today, the default for all resources is to allow cross-site loads, which unfortunately creates the conditions for side-channel attacks via Spectre, et al. With this background, browser vendors are interested in changing this default generally in the long-term, and in the short-term will allow developers to require explicit opt-in via Cross-Origin-Embedder-Policy. This opt-in will be a prerequisite for some particularly interesting APIs like SharedArrayBuffer.

To support this migration, it would be ideal if y'all could begin adding this assertion explicitly to resources that are expected to be used by various sites out there on the internet (e.g. by sending a Cross-Origin-Resource-Policy: cross-origin header). This should be a no-op in the status quo, and will ensure that y'all aren't blocking developers from opting-into Cross-Origin-Embedder-Policy (and therefore exciting new APIs).

If there's any more context I can give you about this set of features, I'd be happy to chat!

[mgol]

Thanks for the report. Is there a more detailed write-up on these new changes that's approachable to the general public?

https://code.jquery.com/ is quite a small CDN, only hosting files for jQuery projects. Could such changes be first adopted by some larger CDNs that are well staffed & can react to potential issues quicker, like the ones by Google or Microsoft?

[mikewest]

Is there a more detailed write-up on these new changes that's approachable to the general public?

https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit#bookmark=id.kaco6v4zwnx2 is part of an explainer for the general approach browsers are taking (. We aim to get an article out onto web.dev at some point in the relatively near future that will hopefully be more digestable.

https://code.jquery.com/ is quite a small CDN, only hosting files for jQuery projects.

"small" is relative. :) Digging through HTTP Archive, I see ~158k sites depending on a script resource of some sort from code.jquery.com.

Could such changes be first adopted by some larger CDNs that are well staffed & can react to potential issues quicker, like the ones by Google or Microsoft?

I understand your risk-aversion, and it's not unreasonable. This should be a no-op for browsers generally, and I'm poking folks at CDNs, large and small. It's not a change you need to make tomorrow, and waiting for someone else to go first is probably fine. But I expect folks who rely on your CDN will start asking y'all to roll out CORP as browsers begin restricting SharedArrayBuffer and other new APIs behind COEP. I'd like it to be on your radar. :)

[mgol]

Thanks for the heads up, I appreciate it! I'll keep this in mind but I'll try to understand the topic a bit better first. :)

[mikewest]

If you have any questions, I'd be happy to try to answer them. :)

[mikewest]

FYI: BootstrapCDN rolled this out last week (jsdelivr/bootstrapcdn#1495). Thus far, nothing's exploded. :)

[mikewest]

Friendly ping. I'd also point to https://resourcepolicy.fyi/ as hopefully helpful context. :)

[mgol]

@mikewest Sorry, I'm quite busy with lots of other stuff at the moment, it's not likely I'll have time to look into it within the next few weeks.

[Krinkle]

@mikewest wrote at MaxCDN/bootstrapcdn#1495:

Yes, Cross-Origin-Resource-Policy: cross-origin is what you'd apply to resources that ought to be embeddable across the web

[Krinkle]

This will need to be done on the jquery/infrastructure side. I've filed a ticket jquery/infrastructure-puppet#7.

[mikewest]

Hey folks! Bootstrap rolled this out in April (jsdelivr/bootstrapcdn#1495). JSDelivr rolled it out last month (jsdelivr/jsdelivr#18201). I'd appreciate y'all taking another look to see if you can squeeze this onto your roadmap.

Thanks!