Open Malvoz opened 5 years ago
Is Cross-Origin-Resource-Policy
even implemented by browsers? When I recommend things on the Observatory, I don't want to make people do work for no reason.
1.0 was finalized about 5 months ago, and MDN doesn’t have any trace of it yet, implying that we probably haven’t added it to Nightly yet:
https://github.com/whatwg/fetch/commit/0cec471b1ba938d775415e2ea08a2d2be4e72413
On Tue, Nov 20, 2018 at 13:42 April King notifications@github.com wrote:
Is Cross-Origin-Resource-Policy even implemented by browsers? When I recommend things on the Observatory, I don't want to make people do work for no reason.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mozilla/infosec.mozilla.org/issues/82#issuecomment-440439637, or mute the thread https://github.com/notifications/unsubscribe-auth/AAFqDIzx3nM_H21wIJ4BlUi3AFszynKkks5uxHc9gaJpZM4YrSxi .
Is Cross-Origin-Resource-Policy even implemented by browsers?
Right, probably too soon..
Safari tech preview indicates support as of Safari 12: https://webkit.org/blog/8332/release-notes-for-safari-technology-preview-59/
Tracking bugs: https://bugzilla.mozilla.org/show_bug.cgi?id=1459573 https://bugs.chromium.org/p/chromium/issues/detail?id=853723 https://bugs.webkit.org/show_bug.cgi?id=186761 https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/17934554/
I think the CORS section should cover the
Cross-Origin-Resource-Policy
andX-Permitted-Cross-Domain-Policies
header fields. Both these headers enable developers to allow/disallow CORS in their respective contexts, and potentially take precedence overAccess-Control-Allow-Origin
andcrossdomain.xml
.