New security headers: COOP, COEP, CORP and CORB

textpattern / server-config

Configuration files for Textpattern project servers.

The Unlicense

2 stars 2 forks source link

New security headers: COOP, COEP, CORP and CORB #67

Open philwareham opened 3 years ago

philwareham commented 3 years ago

There is a bunch of new security headers incoming, specifically COOP, COEP, CORP and CORB. We need to investigate which are appropriate to our family of sites.

Source: https://scotthelme.co.uk/coop-and-coep/

[ ] Cross Origin Opener Policy (COOP) MDN
[ ] Cross Origin Embedder Policy (COEP) MDN
[ ] Cross Origin Resource Policy (CORP) MDN

Note that also Cross Origin Read Blocking (CORB) is mentioned, this depends on rules such as Access-Control-Allow-Origin: * not being used, which we currently do use (although I need to remember why we set this - there was a reason). EDIT: this was the reason.

Bloke commented 3 years ago

Great stuff.

EDit... OT but related: https://github.com/textpattern/textpattern/issues/1681

philwareham commented 3 years ago

For reference (Apache): https://github.com/h5bp/server-configs-apache/blob/master/h5bp/security/cross-origin-policy.conf

petecooper commented 3 years ago

Also for ref https://github.com/h5bp/server-configs-nginx/commit/25a569d97d9634497498a4a387f1784269d998bb

philwareham commented 2 years ago

Tentative rules for this (for Apache)...

Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Resource-Policy "same-site"
Header always set Cross-Origin-Embedder-Policy "require-corp"

...but that relies on CORS being set up properly to work, and that subject is a whole other level of confusing to me, so I'll defer to someone with better knowledge - or read more about it at some point in the future.