Make WordPress Core

Opened 3 years ago

Closed 6 months ago

#54474 closed enhancement (wontfix)

Add cross-origin-resource-policy: cross-origin header to WordPress shared resources to allow COOP and COEP

Reported by: rogierlankhorst's profile RogierLankhorst Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords: close
Focuses: Cc:

Description

There are some new headers, COOP and COEP, which can only be used if the resources the website uses send the header

cross-origin-resource-policy: cross-origin

Currently, setting COEP to

Cross-Origin-Embedder-Policy: require-corp

On WordPress website will (among others) break thumbnails from the WordPress plugin repository, gravatar, etc.

Applying this simple header to each WordPress resource that is used embedded in WordPress installations will greatly improve security options for end-users.

Change History (4)

#1 @skotfred
3 years ago

To support this, crossorigin="anonymous" should be added to the externally hosted resources/images such as Gravatar, as they currently fail when the headers are added on the server itself.

#2 @RogierLankhorst
3 years ago

When I submitted this ticked, I wrongfully understood this header to improve security. I have now concluded that the COEP, COOP and CORP header do not actually improve security, but are a way to achieve Cross Origin Isolation. This is required if an application uses javascript code that leverages certain functions like sharedArrayBuffer, performance.measureMemory, and similar functions which were disabled to prevent Spectre side channel attacks.

I don't expect there to be a use case for this with in WordPress however. So in my opinion the ticket can be closed again.

#3 @tw2113
6 months ago

  • Keywords close added

Recommending close as well, as per original reporter.

#4 @johnbillion
6 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Thanks for the follow up 👍

Note: See TracTickets for help on using tickets.