adriaandotcom
commented
3 years ago @dryan is this for the JavaScripts? What should the value be for those headers on our side?
Open simpleanalyticsbot opened 3 years ago
adriaandotcom
commented
3 years ago @dryan is this for the JavaScripts? What should the value be for those headers on our side?
dryan
commented
3 years ago Hey sorry I never responded. I don't ever notice GitHub emails.
Yes it's the latest.js URL that needs the new header Cross-Origin-Resource-Policy. A value of cross-origin would let any site embed latest.js just like now, but with the explicit CORP policy set.
There's new security headers that allow sites to specify which cross-domain resources are allowed to be loaded on their site and which of their resources can be loaded on others. One of those headers
Cross-Origin-Resource-Policyallows forrequire-corpwhich says all third-party resources must also have a CORP header. Would be great for SA to add these so that we can setrequire-corpas a policy.https://scotthelme.co.uk/coop-and-coep/ for more info.