Extend Cross-Origin-Resource-Policy to take origin values #760
Comments
This header makes it easier for sites to block unwanted "no-cors" cross-origin requests. Tests: * web-platform-tests/wpt#11171 * web-platform-tests/wpt#11427 * web-platform-tests/wpt#11428 Follow-up: #760. Fixes #687.
This header makes it easier for sites to block unwanted "no-cors" cross-origin requests. Tests: * web-platform-tests/wpt#11171 * web-platform-tests/wpt#11427 * web-platform-tests/wpt#11428 Follow-up: #760 & #767. Fixes #687.
|
What is the main problem that this issue attempts to solve? Is this mostly about the problem described by @arturjanc in #687 (comment):
cc @mikewest |
|
Also (for helping with prioritization), do you think supporting cross-site Cross-Origin-Resource-Policy (e.g. by making Cross-Origin-Resource-Policy accept literal origins) is more or less important than working on finalizing and implementing Sec-Fetch-Site? cc @csreis |
|
From an individual website developer's view, this can effectively address the hotlinking issues. The region where my website's users are located demands expensive server bandwidth, and service providers like Vercel and Cloudflare, which are more cost-effective or even free, cannot offer stable services in that area. When some larger websites unauthorizedly use certain images/videos, the impact on my website is no less than DDoS attacks (pricewise). Nearly every local CDN provider offers anti-hotlinking services based on Referer. However, Referer is no longer accurate enough for long; |
In #687 there was a strong interest, notably by @arturjanc, to make
Cross-Origin-Resource-Policyaccept literal origins.Things to decide:
This also means we can no longer fail open. E.g., the tests in web-platform-tests/wpt#11427 would have to be flipped so they expect rejection instead since we do not know that the unrecognized values are not origins.
cc @johnwilander @youennf
The text was updated successfully, but these errors were encountered: