Closed Bug 1459573 (corp) Opened 6 years ago Closed 5 years ago

Support Cross Origin Resource Policy (CORP) (Previously From-Origin)

Categories

(Core :: DOM: Core & HTML, enhancement, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla69
Project Flags:
Fission Milestone M4
Tracking Flags:
Tracking Status
firefox61 --- wontfix
firefox69 --- fixed

People

(Reporter: tjr, Assigned: valentin)

References

(Depends on 1 open bug, Blocks 2 open bugs)

Details

(Keywords: dev-doc-complete, parity-chrome, parity-safari)

Attachments

(1 file)

Bug 1459573 - Support Cross Origin Resource Policy (CORP)
47 bytes, text/x-phabricator-request
Details | Review 
Alongside, CORB, From-Origin will mitigate cross-site resources from being loaded into a malicious content process.

When a resource load (image, font, etc) is requested, the From_origin response header will be examined. If present and matching the requesting origin, it will be supplied to the content process and loaded. If non-matching, it will be rejected in some way and not loaded into the content process.

https://github.com/whatwg/fetch/issues/687
Priority: -- → P2
web-platform-tests tests are in fetch/cross-origin-resource-policy.
Summary: Support From-Origin → Support Cross-Origin-Resource-Policy
Blocks: fetch
Alias: corp
Summary: Support Cross-Origin-Resource-Policy → Support Cross Origin Resource Policy (CORP) (Previously From-Origin)
Fission Milestone: --- → M3
Component: DOM → DOM: Core & HTML

dev-doc-needed

Some initial docs at https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP) - though compat. data will need updating when this ships, of course.

Assignee: nobody → valentin.gosu
Fission Milestone: M3 → M4
Pushed by valentin.gosu@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/75bf71e58f29
Support Cross Origin Resource Policy (CORP) r=mayhemer

https://hg.mozilla.org/mozilla-central/rev/75bf71e58f29

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox69: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla69

Is this behind a flag for the minute (browser.tabs.remote.useCORP)? Is it off by default?

(In reply to lol768 from comment #7)

Is this behind a flag for the minute (browser.tabs.remote.useCORP)? Is it off by default?

Yes, it is currently behind that pref, disabled by default.

This got documented already, thank you Adam!

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy

The compat tables still claims this is in 69 without pref, but I've opened https://github.com/mdn/browser-compat-data/pull/4572 to fix that.

Review appreciated as always.

Keywords: dev-doc-neededdev-doc-complete
Regressions: 1703464
Depends on: 1881271
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: