Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy

[baknu]

Suggestion (by DanielMicay via Twitter - https://twitter.com/DanielMicay/status/1372856505037422593) for header checks:

encourage sites to defend against Spectre and other client-side vulnerabilities via cross-origin isolation:

Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin

Nice posts about it at https://web.dev/coop-coep/ and https://web.dev/cross-origin-isolation-guide/.

[thestinger]

Also worth noting that Cross-Origin-Opener-Policy: same-origin is usually very easy to deploy.

Cross-Origin-Embedder-Policy: require-corp is trivial to deploy if you don't use cross-origin resources at all but requires a fair bit of work for sites that do a lot of it. The work scales with the amount of it that you're doing, and you need your dependencies to cooperate.

Having both COOP + COEP gives you the full cross-origin isolation, which is a really nice protection from Spectre or client-side browser exploitation by making sure you have a proper browser sandbox isolating your site specifically.

It's also possible to set Cross-Origin-Resource-Policy: same-origin even when not explicitly needed by COEP as a further protection but it's not needed to simply get the baseline cross-origin isolation and it's probably not advisable to recommend setting it since it will break other sites trying to use resources like images from your site.

[sinteur]

We'll need to add that to the info shown for these headers, good point.