Make WordPress Core

Opened 3 years ago

Last modified 2 years ago

#54474 new enhancement

Add cross-origin-resource-policy: cross-origin header to WordPress shared resources to allow COOP and COEP

Reported by: rogierlankhorst's profile RogierLankhorst Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:


There are some new headers, COOP and COEP, which can only be used if the resources the website uses send the header

cross-origin-resource-policy: cross-origin

Currently, setting COEP to

Cross-Origin-Embedder-Policy: require-corp

On WordPress website will (among others) break thumbnails from the WordPress plugin repository, gravatar, etc.

Applying this simple header to each WordPress resource that is used embedded in WordPress installations will greatly improve security options for end-users.

Change History (2)

#1 @skotfred
2 years ago

To support this, crossorigin="anonymous" should be added to the externally hosted resources/images such as Gravatar, as they currently fail when the headers are added on the server itself.

#2 @RogierLankhorst
2 years ago

When I submitted this ticked, I wrongfully understood this header to improve security. I have now concluded that the COEP, COOP and CORP header do not actually improve security, but are a way to achieve Cross Origin Isolation. This is required if an application uses javascript code that leverages certain functions like sharedArrayBuffer, performance.measureMemory, and similar functions which were disabled to prevent Spectre side channel attacks.

I don't expect there to be a use case for this with in WordPress however. So in my opinion the ticket can be closed again.

Note: See TracTickets for help on using tickets.