Bug 1459573 (corp)

Support Cross Origin Resource Policy (CORP) (Previously From-Origin)

NEW
Unassigned

Status

()

enhancement
P2
normal
a year ago
15 days ago

People

(Reporter: tjr, Unassigned)

Tracking

(Blocks 2 bugs, {dev-doc-needed, parity-chrome, parity-safari})

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Fission Milestone:M3, firefox61 affected)

Details

(Reporter)

Description

a year ago
Alongside, CORB, From-Origin will mitigate cross-site resources from being loaded into a malicious content process.

When a resource load (image, font, etc) is requested, the From_origin response header will be examined. If present and matching the requesting origin, it will be supplied to the content process and loaded. If non-matching, it will be rejected in some way and not loaded into the content process.

https://github.com/whatwg/fetch/issues/687
Priority: -- → P2

Comment 1

10 months ago
web-platform-tests tests are in fetch/cross-origin-resource-policy.
Summary: Support From-Origin → Support Cross-Origin-Resource-Policy

Updated

10 months ago
Blocks: fetch
(Reporter)

Updated

8 months ago
Duplicate of this bug: 1486822
(Reporter)

Updated

8 months ago
Alias: corp
Summary: Support Cross-Origin-Resource-Policy → Support Cross Origin Resource Policy (CORP) (Previously From-Origin)

Updated

2 months ago
Fission Milestone: --- → M3
Component: DOM → DOM: Core & HTML
Product: Core → Core

Comment 3

15 days ago

dev-doc-needed

Some initial docs at https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP) - though compat. data will need updating when this ships, of course.

You need to log in before you can comment on or make changes to this bug.