Skip to content

Commit

Permalink
add example for CORP
Browse files Browse the repository at this point in the history
  • Loading branch information
xanhacks committed Jan 31, 2024
1 parent ea2d9ab commit 3ca0f5d
Show file tree
Hide file tree
Showing 3 changed files with 72 additions and 9 deletions.
10 changes: 5 additions & 5 deletions content/en/docs/http/cross-origin-read-blocking.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
title: "Cross-Origin Read Blocking"
description: "Overview of Cross-Origin Read Blocking"
lead: "Overview of Cross-Origin Read Blocking"
title: "Cross-Origin Read Blocking (CORB)"
description: "Overview of Cross-Origin Read Blocking (CORB)"
lead: "Overview of Cross-Origin Read Blocking (CORB)"
date: 2023-01-01T00:00:00+00:00
lastmod: 2023-01-01T00:00:00+00:00
draft: false
Expand All @@ -24,11 +24,11 @@ CORB mitigates the following attack vectors:
1. **Cross-Site Script Inclusion (XSSI)**: XSSI is the technique of pointing the `<script>` tag at a target resource which is not JavaScript, and observing some side effects when the resulting resource is interpreted as JavaScript. CORB prevents this class of attacks, because a CORB-protected resource will be blocked from ever being delivered to a cross-site `<script>` element.
2. **Speculative Side Channel Attack (e.g. Spectre)**: An attacker may use an `<img src="https://example.com/secret.json">` element to pull a cross-site secret into the process where the attacker's JavaScript runs, and then use a speculative side channel attack (e.g. Spectre) to read the secret. CORB can prevent this class of attacks when used in tandem with [Site Isolation](https://www.chromium.org/Home/chromium-security/site-isolation/) (ensures that pages from different websites are always put into different processes, each running in a sandbox that limits what the process is allowed to do), by preventing the JSON resource from being present in the memory of a process hosting a cross-site page.

### How CORB Works
## How CORB Works

CORB works by examining the MIME type of cross-origin responses and blocking those that should not be made available to the requesting web page due to their sensitive nature.

### Key Aspects of CORB
## Key Aspects of CORB

- **MIME Type Evaluation**: CORB checks the MIME type of a cross-origin response against a list of "protected" MIME types (such as HTML, XML (excluding SVG), and JSON). If the MIME type of the response is on this list, CORB may block the response from being consumed by the requesting site.
- **Blocking Strategy**: If CORB decides to block a response, it does so by stripping the response body, effectively preventing the requesting JavaScript from reading the content. However, the request itself is not blocked, the server still receives the request and sends a response. The difference is that the JavaScript on the requesting site cannot access the response's body.
Expand Down
63 changes: 63 additions & 0 deletions content/en/docs/http/cross-origin-resource-policy.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
---
title: "Cross-Origin Resource Policy (CORP)"
description: "Overview of Cross-Origin Resource Policy (CORP)"
lead: "Overview of Cross-Origin Resource Policy (CORP)"
date: 2023-01-01T00:00:00+00:00
lastmod: 2023-01-01T00:00:00+00:00
draft: false
images: []
menu:
docs:
parent: "http"
weight: 620
toc: true
---

## Cross-Origin Resource Policy (CORP)

[Cross-Origin Resource Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy) is a policy set by the `Cross-Origin-Resource-Policy` HTTP header that lets websites and applications opt in to protection against certain requests from other origins (such as those issued with elements like `<script>` and `<img>`), to mitigate speculative side-channel attacks, like Spectre, as well as Cross-Site Script Inclusion attacks.

CORP is an additional layer of protection beyond the default same-origin policy. Cross-Origin Resource Policy complements Cross-Origin Read Blocking (CORB), which is a mechanism to prevent some cross-origin reads by default.

> As this policy is expressed via a response header, the actual request is not prevented. Rather, the browser prevents the result from being leaked by stripping the response body.
## Usage

- `Cross-Origin-Resource-Policy: same-site`: Only requests from the same Site can read the resource.
- `Cross-Origin-Resource-Policy: same-origin`: Only requests from the same origin (i.e. scheme + host + port) can read the resource.
- `Cross-Origin-Resource-Policy: cross-origin`: Requests from any origin (both same-site and cross-site) can read the resource.

## Example

In the provided example, the script `profile.js` will only load if both the client and server originate from the same site. For instance, if the client's origin is `app.example.com`, the script will load successfully. However, if the client comes from a different site, such as `app.anothersite.com`, the script will not load.

Client source code:

```html
<script src="https://cdn.example.com/user/profile.js"></script>
<script>
setTimeout(() => {
console.log(secret);
}, 500);
</script>
```

Server (e.g. CDN) source code:

```python
from flask import Flask

app = Flask(__name__)

@app.route('/')
def home():
return "const secret = 1337;"

@app.after_request
def add_response_headers(response):
response.headers['Cross-Origin-Resource-Policy'] = 'same-site'
return response

if __name__ == '__main__':
app.run(debug=True)
```
8 changes: 4 additions & 4 deletions content/en/docs/http/x-content-type-options.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
title: "X-Content-Type-Options"
description: "Overview of X-Content-Type-Options"
lead: "Overview of X-Content-Type-Options"
title: "X-Content-Type-Options (XCTO)"
description: "Overview of X-Content-Type-Options (XCTO)"
lead: "Overview of X-Content-Type-Options (XCTO)"
date: 2023-01-01T00:00:00+00:00
lastmod: 2023-01-01T00:00:00+00:00
draft: false
Expand All @@ -13,7 +13,7 @@ weight: 620
toc: true
---

## X-Content-Type-Options
## X-Content-Type-Options (XCTO)

The [X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured.

Expand Down

0 comments on commit 3ca0f5d

Please sign in to comment.