# ---------------------------------------------------------------------- # | Cross Origin Policy | # ---------------------------------------------------------------------- # Set strict a Cross Origin Policy to mitigate information leakage. # # (1) Cross-Origin-Embedder-Policy prevents a document from loading any # cross-origin resources that don’t explicitly grant the document # permission. # https://html.spec.whatwg.org/multipage/origin.html#coep # https://owasp.org/www-project-secure-headers/#cross-origin-embedder-policy # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy # # (2) Cross-Origin-Opener-Policy allows you to ensure a top-level document does # not share a browsing context group with cross-origin documents. # https://html.spec.whatwg.org/multipage/origin.html#cross-origin-opener-policies # https://owasp.org/www-project-secure-headers/#cross-origin-opener-policy # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy # # (3) Cross-Origin-Resource-Policy allows to define a policy that lets web # sites and applications opt in to protection against certain requests from # other origins, to mitigate speculative side-channel attacks. # https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header # https://owasp.org/www-project-secure-headers/#cross-origin-resource-policy # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy # https://resourcepolicy.fyi/ # # To check your Cross Origin Policy, you can use an online service, such as: # https://securityheaders.com/ # https://observatory.mozilla.org/ # # https://web.dev/coop-coep/ # https://web.dev/why-coop-coep/ # https://web.dev/cross-origin-isolation-guide/ # https://scotthelme.co.uk/coop-and-coep/ # (1) add_header Cross-Origin-Embedder-Policy $coep_policy always; # (2) add_header Cross-Origin-Opener-Policy $coop_policy always; # (3) add_header Cross-Origin-Resource-Policy $corp_policy always;