Prevent Info leaks and enable powerful features: COOP and COEP

Chrome for Developers

17 Jul 202007:43

Summary

TLDRIn this video, Eiji Kitamura explains the importance of COOP (Cross-Origin-Opener-Policy) and COEP (Cross-Origin-Embedder-Policy) headers in achieving cross-origin isolation, a crucial feature for improving web security. These headers help protect against vulnerabilities like Spectre, which can potentially allow malicious sites to access user data across origins. By setting the right headers, developers can safely enable powerful features like SharedArrayBuffer, ensuring the privacy and security of cross-origin resources. The video walks through practical steps for implementation, highlighting the significance of these policies for website owners, CDNs, and resource providers.

Takeaways

😀 COOP (Cross-Origin-Opener-Policy) and COEP (Cross-Origin-Embedder-Policy) are HTTP headers that help websites opt into cross-origin isolation.
😀 Cross-origin isolation enables access to powerful web features like SharedArrayBuffers and the JS Self-Profiling API.
😀 To use these powerful features, websites must explicitly opt in by setting COOP and COEP headers properly.
😀 COOP and COEP are important for owners of CDNs and providers of cross-origin resources like ads, images, and fonts.
😀 Composability is a superpower of the web, allowing websites to enhance their capabilities by adding resources from different sources.
😀 The Same-Origin Policy (SOP) is a security feature that prevents cross-origin information leakage, but Spectre vulnerabilities can bypass it.
😀 Spectre attacks can exploit high-precision timers and access cross-origin content, even if protected by SOP.
😀 Browsers respond to Spectre by isolating origins and turning off features that could be used in such attacks, like SharedArrayBuffer.
😀 To enable cross-origin isolation, websites must set COOP (same-origin), COEP (require-corp), and ensure cross-origin resources are properly configured.
😀 COOP ensures that any cross-origin windows opened by a document have no access to the opener's DOM, contributing to isolation.
😀 COEP helps ensure resources from different origins are explicitly marked as shareable, preventing unauthorized access to resources from different domains.

Q & A

What are COOP and COEP, and why are they important?
-COOP (Cross-Origin-Opener-Policy) and COEP (Cross-Origin-Embedder-Policy) are HTTP headers that enable a web page to opt into cross-origin isolation, allowing access to powerful features like SharedArrayBuffers, JS Self-Profiling API, and performance.measureMemory(). These headers are crucial for enhancing security and performance by isolating origins and preventing malicious attacks such as Spectre.
How do COOP and COEP help improve web security?
-COOP and COEP help secure web pages by isolating the main document from other origins. This isolation prevents cross-origin resources from being accessed inappropriately, especially after vulnerabilities like Spectre were discovered. By using these headers, browsers can block potential memory-leak exploits and make advanced web features safe to use.
What was the Spectre vulnerability, and how does it relate to COOP and COEP?
-Spectre is a vulnerability found in CPUs that allows malicious websites to read memory across origin boundaries, using high-precision timers. This can bypass the same-origin policy, which traditionally prevents cross-origin access. COOP and COEP mitigate this risk by isolating origins into separate browsing contexts, thus preventing unauthorized access to memory across origins.
What is the same-origin policy, and why is it important for web security?
-The same-origin policy is a security feature that prevents documents or scripts from interacting with resources from a different origin, reducing the risk of information leakage. This policy ensures that scripts running on a web page cannot access or manipulate data from other websites unless explicitly allowed, thus safeguarding user privacy and data integrity.
How do you enable cross-origin isolation on a webpage?
-To enable cross-origin isolation, you need to configure three things: 1) Set the Cross-Origin-Opener-Policy (COOP) header to 'same-origin' for the main document, 2) Ensure all cross-origin resources use the Cross-Origin-Resource-Policy header set to 'cross-origin' or have Cross-Origin Resource Sharing (CORS) enabled, 3) Set the Cross-Origin-Embedder-Policy (COEP) header to 'require-corp' for the main document.
What does setting the COOP header to 'same-origin' achieve?
-Setting the COOP header to 'same-origin' ensures that any cross-origin window opened from the document will not have access to the opener's DOM, which means 'window.opener' will return null. This isolates the document from cross-origin windows, contributing to a more secure browsing context.
What is the role of the Cross-Origin-Resource-Policy (CORP) header?
-The Cross-Origin-Resource-Policy (CORP) header specifies how resources from other origins can be embedded in your web page. By setting CORP to 'cross-origin', you allow cross-origin resources to be loaded and accessed securely. If you serve resources from a different subdomain, you can use this header to ensure they can be safely included.
What should you do if a resource you rely on doesn't support CORP or CORS?
-If a resource does not support CORP or CORS, you should contact the resource provider and request that they add the necessary headers, such as the Cross-Origin-Resource-Policy header with the 'cross-origin' value, to allow safe inclusion of their resources on your site.
Why is it important for CDN owners and resource providers to adopt CORP?
-It is critical for CDN owners and resource providers to adopt CORP because, without it, their resources will be blocked in the browser for websites that have implemented COOP and COEP. This could negatively impact user experience, preventing their resources from being properly loaded across the web.
What is the benefit of using the 'Report-Only' mode of COEP?
-The 'Report-Only' mode of COEP allows you to monitor cross-origin resource loading issues without actually blocking them. It provides reports to a specified URL, helping you test and confirm that cross-origin isolation is working as expected before enforcing the blocking behavior on end-users.