Web resources
Composability is a very powerful capability of the Web. You can easily load resources from different sources to enhance the functions of web pages, such as: font、image、video
etc.
These services are very powerful and convenient, but such a strategy will also increase the risk of information leakage. Attackers can use certain means to leak your user information.
Browsers are also very good at preventing these attacks. We are already familiar with the same-origin policy, which is used to restrict resource access to sites from different sources. You can poke the browser's same-origin policy in detail, and I won't introduce too much here.
However, there are some exceptions to the same-origin policy. Any website can load the following resources without restriction:
Embed cross-domain
iframe
image、script
Other resourcesUse DOM to open cross-domain pop-up windows
For these resources, the browser can be cross-domain resource sites each separated on different Context Group
under different Context Group
under resources can not visit each other.
Browser Context Group
is a group share the same context tab, window or iframe. For example, if the site ( https://a.example
) to open the pop-up window ( https://b.example
), open the windows and pop-up windows share the same browsing context, and they can DOM API
visit each other, for example window.opener
.
Spectre vulnerability
For a long time, these security strategy has been to protect the privacy of data the site until the Spectre
loopholes.
Spectre
It is one of the CPU
discovered vulnerabilities, exploit Spectre
, an attacker can read under the unified browser any Context Group
resources under.
In particular, the need to use some computer hardware and interact API
when:
SharedArrayBuffer (required for WebAssembly Threads)
performance.measureMemory()
JS Self-Profiling API
For this reason, the browser was disabled in SharedArrayBuffer
high-risk API
.
Cross-domain isolation
In order to be able to use these powerful functions, and to ensure that our website resources are more secure, we need to create a cross-domain isolation environment for the browser.
A lot of proprietary terms will be mentioned below. Let’s first list all cross-domain related terms to prevent confusion later:
COEP: Cross Origin Embedder Policy
: Cross-source embedded program strategyCOOP: Cross Origin Opener Policy
: Cross-source opener policyCORP: Cross Origin Resource Policy
: Cross-origin resource strategyCORS: Cross Origin Resource Sharing
: Cross-origin resource sharingCORB: Cross Origin Read Blocking
: Cross-origin read blocking
We can COOP、COEP
create an isolated environment.
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Here we look at these two Hedaer
meanings, and how to configure it.
COOP:Cross Origin Resource Policy
COOP: Cross-person open source policy, corresponding HTTP Header
Shi Cross-Origin-Opener-Policy
.
By COOP
setting Cross-Origin-Opener-Policy: same-origin
, will be isolated from other sources of different windows open the site in different browsers Context Group
, isolated environmental resources so created.
For example, if with COOP
the site to open a new page pops up cross-domain, its window.opener
property will be null
.
In addition to same-origin
, COOP
there are two other different values:
Cross-Origin-Opener-Policy: same-origin-allow-popups
With same-origin-allow-popups
the top of the page pop-up window will retain some reference to these pop-ups are either not provided COOP
, or by COOP
setting unsafe-none
out to choose isolation.
Cross-Origin-Opener-Policy: unsafe-none
unsafe-none
It is the default setting, allowing sharing of the current page and pop-up page Context Group
.
CORP 、 CORS
To enable cross-domain isolation, you also need to make sure that all cross-domain resources are explicitly allowed to load. There are two ways to achieve this, one is CORP
, the other is CORS
.
CORS
(Cross-domain resource sharing) We often use it when we solve cross-domain problems daily. We are already very familiar with this, let's take a look CORP
:
Cross-Origin-Resource-Policy: same-site
Mark same-site
of resources can only be loaded from the same site.
Cross-Origin-Resource-Policy: same-origin
Mark same-origin
of resources can only be loaded from the same source.
Cross-Origin-Resource-Policy: cross-origin
Marking cross-origin
the resource can be loaded from any website.
Note that if some common CDN
resources, for example image、font、video
, and so on, must be set cross-origin
, otherwise it could lead to resources can not be properly loaded.
For cross-domain resource you can not control, you can manually add in html tag
crossorigin
attributes.
COEP:Cross Origin Embedder Policy
COOP: Cross-source embedded program policies, corresponding HTTP Header
Shi Cross-Origin-Embedder -Policy
.
Enable Cross-Origin-Embedder-Policy: require-corp
, you can make your site load only cross-domain resources that are clearly marked as sharable, which is the configuration we just mentioned above, or same-domain resources.
For example, the above picture if no resources Cross-Origin-Resource-Policy
will be blocked loaded.
In the fully enabled COEP
before, you can use Cross-Origin-Embedder-Policy-Report-Only
whether to run properly checking policy. If there are non-compliant resources, they will not be prohibited from loading, but will be reported to your server log.
Test whether cross-domain isolation is normal
When you COOP、COEP
after all configuration is complete, your site should now be in a cross-domain isolation, you can use self.crossOriginIsolated
to determine whether the isolated state is normal.
if(self.crossOriginIsolated){
// 跨域隔离成功
}
Well, you can now enjoyable to use haredArrayBuffer
, performance.measureMemory
or JS Self-Profiling API
the powerful API of ~
reference
https://web.dev/why-coop-coep/
https://web.dev/coop-coep/
Like, watch, forward to support the author❤️