Cross-Origin Resource Policy (CORP)
Author: Vaibhav Malik
## Description
Cross-Origin Resource Policy (CORP) is a web platform security feature that
allows websites to control which origins can load their resources. It
mitigates the risk of cross-origin information leaks by ensuring that
resources like images, scripts, and sub-documents are loaded only by authorized origins.
CORP is implemented via an HTTP response header that specifies one of three
resource-sharing policies:
1. **Cross-Origin-Resource-Policy : same-site** - The resource can only be
loaded from the same site, i.e., the same origin or a subdomain of the
serving origin. This is the default behavior if no CORP header is present.
2. **Cross-Origin-Resource-Policy : same-origin** - This is the most
restrictive policy. The resource can only be loaded from the exact
same origin, excluding subdomains.
3. **Cross-Origin-Resource-Policy : cross-origin** - The resource can
be loaded from any origin. This opt-out of protections should be used
sparingly and only for public resources.
CORP complements cross-origin protections like Cross-Origin Resource
Sharing (CORS) and Same-Origin Policy (SOP). While CORS and SOP restrict
access from a requesting website's perspective, CORP enforces restrictions from the serving website's side.
CORP provides several security benefits:
- **Prevents cross-origin information leaks** - Sensitive resources
accidentally exposed without CORS cannot be loaded by unauthorized external websites.
- **Mitigates speculative execution side-channel attacks** - Untrusted origins
cannot load resources that might be impacted by CPU speculative execution vulnerabilities like Spectre.
- **Protects against timing attacks** - Measuring the time taken to load a
cross-origin resource cannot be used to infer sensitive information.
- **Reduces attack surface** - Unauthorized origins cannot include a
website's resources in their pages, minimizing avenues for clickjacking, UI redressing, etc.
However, CORP also introduces some considerations:
- **Browser support** : CORP is a relatively new standard that may not
be supported by older browsers. Fallback protection may be needed.
- **Resource isolation** - Resources served with a restrictive CORP
policy must not depend on external origins for proper rendering or functioning.
- **Subdomain configuration** - The `same-site` policy allows resource
loading from subdomains. Each subdomain should carefully set its own
CORP headers to avoid unintended exposure.
## Sample Code
Below is an example of setting CORP headers in a Node.js/Express application:
```javascript
const express = require('express');
const app = express();
// Serve public resources with cross-origin access
app.use('/public', express.static('public', {
setHeaders: (res, path, stat) => {
res.set('Cross-Origin-Resource-Policy', 'cross-origin');
}
}));
// Serve sensitive resources only to same-origin
app.use('/private', express.static('private', {
setHeaders: (res, path, stat) => {
res.set('Cross-Origin-Resource-Policy', 'same-origin');
}
}));
// Set default CORP policy to same-site for the rest of the app
app.use((req, res, next) => {
res.set('Cross-Origin-Resource-Policy', 'same-site');
next();
});
app.get('/', (req, res) => {
res.send('Hello World!');
});
app.listen(3000, () => {
console.log('Server started on port 3000');
});
```
This code sets up an Express server with three CORP policies:
- The `/public` route serves resources that can be loaded by any origin.
- The `/private` route serves resources that can only be loaded by the same origin.
- The rest of the app defaults to the `same-site` policy, allowing loading from the same site and its subdomains.
To test the policies, you can host an HTML file on a different origin that tries to load resources from this server:
```html
Attempting cross-origin loads...
```
When loaded from a different origin, only the `/public/image.jpg` resource will successfully load. The other two images will be blocked by CORP.
In conclusion, the Cross-Origin Resource Policy is a robust security control for protecting sensitive web resources from unauthorized cross-origin access. When properly configured, it provides defense-in-depth alongside CORS and SOP. Web developers should leverage CORP headers to enhance the isolation and integrity of their applications.
## References
- [MDN Web Docs: Cross-Origin Resource Policy (CORP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP))
- [web.dev: Protect your resources from web attacks with Fetch Metadata](https://web.dev/fetch-metadata/)
- [Fetch Metadata Request Headers playground](https://secmetadata.appspot.com/)
- [OWASP Cheat Sheet Series: Cross-Origin Resource Sharing](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Origin_Resource_Sharing_Cheat_Sheet.html)