Cross Origin Policies are special http security headers that define what information can be shared between different sources. Limiting the sharing of information between sources is called Cross-origin Isolation. Cross-origin headers were created to instruct browsers and webservers on how to handle information sharing between different resources. These different sources can be different webservers, processes or different documents or pages in a web browser. This means that when Cross-origin Isolation is active, exchanging information with other sources, is limited by the Cross-origin headers.
Options
The different Cross-Origin headers supported by Really Simple SSL are:
- CORP: Cross-Origin Resource Policy
- COEP: Cross-Origin Embedder Policy
- COOP: Cross-Origin Opener Policy
In this article, we provide instructions for setting the Cross-origin security headers,
Background
In 2018, a new vulnerability was discovered in processors. It allowed a “side channel attack”. These types of attacks try to gather information by measuring the indirect effects of the system, like speed and power consumption. You can compare it to how you track the speed of a car. Instead of following it with GPS, it tries to track the speed by the gas consumption. An example on the web is Spectre. Spectre exploits a processor design flaw with javascript to trick a program into accessing arbitrary locations in the memory space, including personal sensitive data. For more details, please also check leaky.page.
To close the Spectre vulnerability, some features were removed from browsers. If your site uses an API which uses for example the sharedArrayBuffer() or high precision timer functionality, Cross-origin Isolation is required to unlock these features. This can be achieved with a combination of Cross-origin Headers. This is not possible for all configurations, but adding the right Cross-origin headers may improve your website’s security.
