add HTTP "Cross-Origin Opener|Resource|Embedder Policy" header
Vocabulary
- COEP: Cross Origin Embedder Policy
- COOP: Cross Origin Opener Policy
- CORP: Cross Origin Resource Policy
- CORS: Cross Origin Resource Sharing
- CORB: Cross Origin Read Blocking
Ressources
- COEP COOP CORP CORS CORB - CRAP that's a lot of new stuff! (scotthelme.co.uk)
- Consider deploying Cross-Origin Resource Policy (resourcepolicy.fyi)
- Making your website 'cross-origin isolated' using COOP and COEP (web.dev)
- COOP and COEP explained
- Fetch specification > Cross-Origin-Resource-Policy header (whatwg.org)
COOP - HTTP Cross-Origin-Opener-Policy header
- WHATWG Specification https://html.spec.whatwg.org/multipage/browsers.html#cross-origin-opener-policies
- MDN documenation https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
- Chrome documenation https://web.dev/security-headers/#coop
- Chrome documenation https://web.dev/coop-coep/
- Scott Helme blog post https://scotthelme.co.uk/coop-and-coep/
- Pentesting guide https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/special-http-headers#coop
source : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
allows a site to opt-in to Cross-Origin Isolation in the browser.
source : https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/special-http-headers#coop
The Cross-Origin-Opener-Policy header provides a way for a document to isolate itself from cross-origin windows opened through window.open() or a link with target="_blank" without rel="noopener". As a result, any cross-origin opener of the document will have no reference to it and will not be able to interact with it.
CORP - HTTP Cross-Origin-Resource-Policy header
- WHATWG Specification https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
- MDN documenation https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy
- Chrome documenation https://web.dev/security-headers/#corp
- Consider deploying CORP https://resourcepolicy.fyi
- Scott Helme blog post https://scotthelme.co.uk/coop-and-coep/
- Pentesting guide https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/special-http-headers#corp
source : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy
allows a resource owner to specify who can load the resource.
source : https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/special-http-headers#corp
An attacker can embed resources from another origin, for example from your site, to learn information about them by exploiting web-based. Cross-Origin-Resource-Policy mitigates this risk by indicating the set of websites it can be loaded by. The header takes one of three values: same-origin, same-site, and cross-origin. All resources are recommended to send this header to indicate whether they allow being loaded by other websites.
COEP - HTTP Cross-Origin-Embedder-Policy header
- WHATWG Specification https://html.spec.whatwg.org/multipage/browsers.html#coep
- MDN documenation https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
- Chrome documenation https://web.dev/security-headers/#coep
- Chrome documenation https://web.dev/coop-coep/
- Scott Helme blog post https://scotthelme.co.uk/coop-and-coep/
- Pentesting guide https://book.hacktricks.xyz/network-services-pentesting
source : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
allows a site to prevent assets being loaded that do not grant permission to load them via CORS or CORP.
source : https://book.hacktricks.xyz/network-services-pentesting
Cross-Origin-Embedder-Policy: require-corp prevents documents and workers from loading cross-origin resources such as images, scripts, stylesheets, iframes and others unless these resources explicitly opt into being loaded via
Examples
<IfModule mod_headers.c>
# HTTP Cross-Origin-Opener-Policy (COOP) header
# - WHATWG Specification https://html.spec.whatwg.org/multipage/browsers.html#cross-origin-opener-policies
# - MDN documenation https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
# - Chrome documenation https://web.dev/security-headers/#coop
# - Chrome documenation https://web.dev/coop-coep/
# - Scott Helme blog post https://scotthelme.co.uk/coop-and-coep/
# - Pentesting guide https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/special-http-headers#coop
Header set Cross-Origin-Opener-Policy "same-origin"
# HTTP Cross-Origin-Resource-Policy (CORP) header
# - WHATWG Specification https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
# - MDN documenation https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy
# - Chrome documenation https://web.dev/security-headers/#corp
# - Consider deploying CORP https://resourcepolicy.fyi
# - Scott Helme blog post https://scotthelme.co.uk/coop-and-coep/
# - Pentesting guide https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/special-http-headers#corp
Header set Cross-Origin-Resource-Policy "same-origin"
# HTTP Cross-Origin Embedder Policy (COEP) header
# - WHATWG Specification https://html.spec.whatwg.org/multipage/browsers.html#coep
# - MDN documenation https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
# - Chrome documenation https://web.dev/security-headers/#coep
# - Chrome documenation https://web.dev/coop-coep/
# - Scott Helme blog post https://scotthelme.co.uk/coop-and-coep/
# - Pentesting guide https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/special-http-headers#coep
Header set Cross-Origin-Embedder-Policy "require-corp"
</IfModule>
https://scotthelme.co.uk/coop-and-coep/
cross-origin-embedder-policy-report-only: require-corp; report-to="default"
cross-origin-opener-policy-report-only: same-origin; report-to="default"
cross-origin-resource-policy: same-site