Opened 2 years ago
Last modified 18 months ago
#54474 new enhancement
Add cross-origin-resource-policy: cross-origin header to WordPress shared resources to allow COOP and COEP
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | General | Keywords: | |
| Focuses: | Cc: |
Description
There are some new headers, COOP and COEP, which can only be used if the resources the website uses send the header
cross-origin-resource-policy: cross-origin
Currently, setting COEP to
Cross-Origin-Embedder-Policy: require-corp
On WordPress website will (among others) break thumbnails from the WordPress plugin repository, gravatar, etc.
Applying this simple header to each WordPress resource that is used embedded in WordPress installations will greatly improve security options for end-users.
Change History (2)
#2
@
18 months ago
When I submitted this ticked, I wrongfully understood this header to improve security. I have now concluded that the COEP, COOP and CORP header do not actually improve security, but are a way to achieve Cross Origin Isolation. This is required if an application uses javascript code that leverages certain functions like sharedArrayBuffer, performance.measureMemory, and similar functions which were disabled to prevent Spectre side channel attacks.
I don't expect there to be a use case for this with in WordPress however. So in my opinion the ticket can be closed again.
To support this, crossorigin="anonymous" should be added to the externally hosted resources/images such as Gravatar, as they currently fail when the headers are added on the server itself.