COEP HTTP - works with CORS and CORP - but separately #37343
Conversation
github-actions
bot
added
Content:HTTP
| @@ -31,12 +31,24 @@ Cross-Origin-Embedder-Policy: unsafe-none | require-corp | credentialless | |||
| ### Directives | |||
|
|
|||
| - `unsafe-none` | |||
| - : This is the default value. Allows the document to fetch cross-origin resources without giving explicit permission through the CORS protocol or the {{HTTPHeader("Cross-Origin-Resource-Policy")}} header. | |||
| - : Allows the document to load cross-origin resources without giving explicit permission through the CORS protocol or the {{HTTPHeader("Cross-Origin-Resource-Policy")}} header. | |||
There was a problem hiding this comment.
What if CORP is same-origin - i.e. the unsafe-none would allow loading if CORP isn't set, but will the browser allow this if CORP explicitly says it does NOT want to be loaded?
I'm having trouble working it out from the spec.
There was a problem hiding this comment.
I read and re-read this and checked some explainers and this is my understanding:
- You can set CORP on any individual resource (regardless of COEP) and CORP will be respected -> explicitly setting COEP 'unsafe-none' doesn't interfere with CORP.
- If you set COEP
require-corp, then all resources (descendents) must have a CORP / CORS policy.
It boils down to scope, so a resource can have a CORP / CORS that controls where it's embedded, then a document sets COEP, and all embedded things have to have CORP or CORS defined.
COEP prevents a document from loading any non-same-origin resources which don't explicitly grant the document permission to be loaded.
https://github.com/ArthurSonzogni/coep-reflection?tab=readme-ov-file#motivating-use-cases
Also we should add these to the See also:
There was a problem hiding this comment.
|
Preview URLs Flaws (1)URL:
(comment last updated: 2025-01-23 23:30:57) |
| - : A document can load cross-origin resources that are requested in [`no-cors` mode](/en-US/docs/Web/API/Request/mode) **without** an explicit permission via the {{HTTPHeader("Cross-Origin-Resource-Policy")}} header. | ||
| In this case requests are sent without credentials: cookies are omitted in the request, and ignored in the response. |
There was a problem hiding this comment.
Again, what if CORP is same-origin - i.e. the unsafe-none would allow loading if CORP isn't set, but will the browser allow this if CORP explicitly says it does NOT want to be loaded?
| If you enable COEP using `require-corp` and have a cross origin resource that needs to be loaded, it needs to support [CORS](/en-US/docs/Web/HTTP/CORS) and you need to explicitly mark the resource as loadable from another origin to avoid blockage from COEP. For example, you can use the [`crossorigin`](/en-US/docs/Web/HTML/Attributes/crossorigin) attribute for this image from a third-party site: | ||
| If you enable COEP using `require-corp` and want to embed a cross origin resource that supports [CORS](/en-US/docs/Web/HTTP/CORS), you will need to explicitly specify the HTML [`crossorigin`](/en-US/docs/Web/HTML/Attributes/crossorigin) attribute so that it is requested in `cors` mode. | ||
|
|
||
| For example, you would you this approach to fetch an image from a third-party site that supports CORS: | ||
|
|
There was a problem hiding this comment.
Note, we could do with an equivalent example for CORP.
There was a problem hiding this comment.
But not planning on doing now!
hamishwillee
requested review from
bsmth,
a team and
wbamberg
and removed request for
a team and
bsmth
hamishwillee
force-pushed
the
coep_fix
branch
from
29e6154 to
10cf65b
Compare
| If you enable COEP using `require-corp` and have a cross origin resource that needs to be loaded, it needs to support [CORS](/en-US/docs/Web/HTTP/CORS) and you need to explicitly mark the resource as loadable from another origin to avoid blockage from COEP. For example, you can use the [`crossorigin`](/en-US/docs/Web/HTML/Attributes/crossorigin) attribute for this image from a third-party site: | ||
| If you enable COEP using `require-corp` and want to embed a cross origin resource that supports [CORS](/en-US/docs/Web/HTTP/CORS), you will need to explicitly specify the HTML [`crossorigin`](/en-US/docs/Web/HTML/Attributes/crossorigin) attribute so that it is requested in `cors` mode. | ||
|
|
||
| For example, you would you this approach to fetch an image from a third-party site that supports CORS: |
There was a problem hiding this comment.
| For example, you would you this approach to fetch an image from a third-party site that supports CORS: | |
| For example, you would use this approach to fetch an image from a third-party site that supports CORS: |
| @@ -68,7 +80,9 @@ if (crossOriginIsolated) { | |||
|
|
|||
| ### Avoiding COEP blockage with CORS | |||
|
|
|||
| If you enable COEP using `require-corp` and have a cross origin resource that needs to be loaded, it needs to support [CORS](/en-US/docs/Web/HTTP/CORS) and you need to explicitly mark the resource as loadable from another origin to avoid blockage from COEP. For example, you can use the [`crossorigin`](/en-US/docs/Web/HTML/Attributes/crossorigin) attribute for this image from a third-party site: | |||
| If you enable COEP using `require-corp` and want to embed a cross origin resource that supports [CORS](/en-US/docs/Web/HTTP/CORS), you will need to explicitly specify the HTML [`crossorigin`](/en-US/docs/Web/HTML/Attributes/crossorigin) attribute so that it is requested in `cors` mode. | |||
There was a problem hiding this comment.
Not just via HTML, but fetch('https://thing', { mode: 'cors' }) or crossOrigin like https://developer.mozilla.org/en-US/docs/Web/API/HTMLScriptElement/crossOrigin
| Cross-origin resource loading will be blocked by COEP unless: | ||
|
|
||
| - The resource is requested in `no-cors` mode and the response includes a {{HTTPHeader("Cross-Origin-Resource-Policy")}} header that allows it to be loaded into the document origin. | ||
| - The resource is requested in `cors` mode (the HTML [`crossorigin`](/en-US/docs/Web/HTML/Attributes/crossorigin) attribute is set) and the resource supports CORS. |
There was a problem hiding this comment.
Same comment as below, not just HTML, but via fetch mode: cors or crossOrigin in JS.
hamishwillee
force-pushed
the
coep_fix
branch
from
10cf65b to
d260ad3
Compare
Fixes #36503
In addition this is a significant rework of the COEP header because I found it confusing.
The main problem I have with the existing doc is that it mixes up the effects and "nature" of CORS and CORP and the effect of this header when using these two.
Using the example of an
<img>it is important to remember that a cross-origin fetch is allowed by default - if your HTML doesn't includecrossoriginattribute the image is fetched inno-corsmode and will be returned by default and included unless the resource has CORP set on it.However if you set the crossorigin attribute the request is not-no-cors - it might be a
corsmode request and could have different settings for things like whether credentials are included.So it isn't just you must set CORs or CORP, it depends on how you make the request. I have tried to draw that distinction.
PS. The bug was about navigation requests. I dont think they are relevant, because a navigation is not embedding a resource. Though I guess the fetch of a new content for a frame would count, and that would be handled as per usual for CORs (whatever that is).