COEP HTTP - works with CORS and CORP - but separately #37343
+19
−5
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
Content:HTTP
hamishwillee
commented
Dec 23, 2024
| @@ -31,12 +31,24 @@ Cross-Origin-Embedder-Policy: unsafe-none | require-corp | credentialless | |||
| ### Directives | |||
|
|
|||
| - `unsafe-none` | |||
| - : This is the default value. Allows the document to fetch cross-origin resources without giving explicit permission through the CORS protocol or the {{HTTPHeader("Cross-Origin-Resource-Policy")}} header. | |||
| - : Allows the document to load cross-origin resources without giving explicit permission through the CORS protocol or the {{HTTPHeader("Cross-Origin-Resource-Policy")}} header. | |||
There was a problem hiding this comment.
What if CORP is same-origin - i.e. the unsafe-none would allow loading if CORP isn't set, but will the browser allow this if CORP explicitly says it does NOT want to be loaded?
I'm having trouble working it out from the spec.
hamishwillee
commented
Dec 23, 2024
Comment on lines
+47
to
+48
| - : A document can load cross-origin resources that are requested in [`no-cors` mode](/en-US/docs/Web/API/Request/mode) **without** an explicit permission via the {{HTTPHeader("Cross-Origin-Resource-Policy")}} header. | ||
| In this case requests are sent without credentials: cookies are omitted in the request, and ignored in the response. |
There was a problem hiding this comment.
Again, what if CORP is same-origin - i.e. the unsafe-none would allow loading if CORP isn't set, but will the browser allow this if CORP explicitly says it does NOT want to be loaded?
hamishwillee
commented
Dec 23, 2024
| If you enable COEP using `require-corp` and have a cross origin resource that needs to be loaded, it needs to support [CORS](/en-US/docs/Web/HTTP/CORS) and you need to explicitly mark the resource as loadable from another origin to avoid blockage from COEP. For example, you can use the [`crossorigin`](/en-US/docs/Web/HTML/Attributes/crossorigin) attribute for this image from a third-party site: | ||
| If you enable COEP using `require-corp` and want to embed a cross origin resource that supports [CORS](/en-US/docs/Web/HTTP/CORS), you will need to explicitly specify the HTML [`crossorigin`](/en-US/docs/Web/HTML/Attributes/crossorigin) attribute so that it is requested in `cors` mode. | ||
|
|
||
| For example, you would you this approach to fetch an image from a third-party site that supports CORS: | ||
|
|
There was a problem hiding this comment.
Note, we could do with an equivalent example for CORP.
hamishwillee
requested review from
bsmth,
a team and
wbamberg
and removed request for
a team and
bsmth
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #36503
In addition this is a significant rework of the COEP header because I found it confusing.
The main problem I have with the existing doc is that it mixes up the effects and "nature" of CORS and CORP and the effect of this header when using these two.
Using the example of an
<img>it is important to remember that a cross-origin fetch is allowed by default - if your HTML doesn't includecrossoriginattribute the image is fetched inno-corsmode and will be returned by default and included unless the resource has CORP set on it.However if you set the crossorigin attribute the request is not-no-cors - it might be a
corsmode request and could have different settings for things like whether credentials are included.So it isn't just you must set CORs or CORP, it depends on how you make the request. I have tried to draw that distinction.
PS. The bug was about navigation requests. I dont think they are relevant, because a navigation is not embedding a resource. Though I guess the fetch of a new content for a frame would count, and that would be handled as per usual for CORs (whatever that is).