Closed Bug 1486822 Opened 6 years ago Closed 6 years ago

Cross-Origin Read Policy (CORP) (previously From-Orgin)

Categories

(Core :: DOM: Security, enhancement)

Product:
Core
Component:
DOM: Security
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1459573

People

(Reporter: tjr, Unassigned)

References

Details

(I accidentally submitted too quickly)

CORP is a HTTP header that allows an origin to specify what third party origins are allowed to use resources it serves (such as stylesheets, images, script files, etc.)  It is analogous to X-FRAME-OPTIONS.  

If an origin attempts to embed resources whose From-Origin indicates it is not allowed to, the browser will mimic a network error (or something similar).

It assists in Fission Security by providing websites a way to opt-in to protecting their non-document resources from potential disclosure via a Spectre attack.  (CORB is an on-by-default mechanism to protect the document resources.)
Summary: Cross-Origin Read Policy (CORP) (previously From → Cross-Origin Read Policy (CORP) (previously From-Orgin)
Alias: corp
See Also: → cowp
Dupe of bug 1459573?
Dangit I thought I had a bug for it filed; but couldn't find it...
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Alias: corp
No longer blocks: fission
You need to log in before you can comment on or make changes to this bug.