Spec: https://mikewest.github.io/corpp/ (monkey patching HTML and Fetch; intended to be folded back into those specifications)
The same-origin policy’s restrictions against direct access to another origin’s resources is, unfortunately, insufficient in the face of speculative execution attacks like Spectre. Merely loading another origins’ resource may be enough to bring its content into a memory space which may be probed by an attacker, even if the browser would otherwise prevent access to the resource through explicit channels.
Given this context, user agents are rethinking the threat model under which they operate (e.g. [chromium-post-spectre-rethink]). It would be unfortunate indeed to prevent the web platform from legitimately using APIs like
SharedArrayBuffer that accidentally improve attackers’ ability to exploit speculation attacks, but at the same time, many user agents have agreed that it seems unreasonable to enable those APIs without additional mitigation.
Cross-Origin-Embedder-Policy tackles one piece of the broader problem by giving developers the ability to require an explicit opt-in from any resource which would be embedded in a given context. User agents can make that requirement a precondition for some APIs that might otherwise leak data about cross-origin resources, which goes some way towards ensuring that any leakage is voluntary, not accidental.
To that end, the proposal does three things:
It introduces a new
cross-originvalue for the
Cross-Origin-Resource-PolicyHTTP response header, which constitutes an explicit declaration that a given resource may be embedded in cross-origin contexts.
It introduces a new
Cross-Origin-Embedder-Policyheader which shifts the default behavior for resources loaded in a given context to an opt-in model, in which cross-origin responses must either assert a
Cross-Origin-Resource-Policyheader which allows the embedding, or pass a CORS check.
Together, these would allow a user agent to gate access to interesting APIs on a top-level context opting-into
Cross-Origin-Embedder-Policy, which in turn gives servers the ability to inspect incoming requests and make reasonable decisions about when to allow an embedding.