October 1, 2020
Cross-Origin Resource Policy (CORP) is a web platform security feature that allows websites to prevent certain resources from being loaded by other origins. This protection complements CORB since it is an opt-in defense, whereas CORB blocks some cross-origin reads by default. Unfortunately, similar to CORB, applications can introduce a new XS-Leak if they misconfigure the use of this protection.
A webpage will introduce an XS-Leak if
CORP is enforced based on user data. If a page search feature enforces
CORP when showing results, but doesn’t do so when returning no results, an attacker will be able to distinguish the two scenarios. This occurs because a page/resource protected by
CORP will return an error when fetched cross-origin.
An application can avoid this XS-Leak if it guarantees
CORP is deployed in all application resources/endpoints. Moreover, generic security mechanisms that allow the invalidation of cross-site requests will also help prevent this attack.
|SameSite Cookies (Lax)||COOP||Framing Protections||Isolation Policies|
|✔️||❌||❌||RIP 🔗 NIP|
🔗 – Defense mechanisms must be combined to be effective against different scenarios.