You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The initially proposed name for this header was Cross-Origin-Isolate and later Cross-Origin-Window-Policy. In Safari 12 this was implemented and renamed from Cross-Origin-Options.
Enables authors to prevent other domains from loading resources by restricting any kind of cross-origin load to protect themselves against Spectre attacks.
The Expect-CT header allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. When a site enables the Expect-CT header, they are requesting that the browser check that any certificate for that site appears in public CT logs.
When this header is set with the value noopen it prevents IE from displaying an "Open"-button after an HTML file is downloaded. This was introduced for IE 8 (support suggested for MS Edge) due to the fact that downloadeded HTML files that were opened directly would execute scripts in the context of the page.
This header specifies if/how a cross-domain policy-file (XML) is allowed. The file defines a policy to grant web clients, such as Adobe Flash Player or Adobe Acrobat (e.g. PDF files), permission to handle data across domains.
Security headers to consider:
Cross-Origin-Embedder-Policy(COEP):Cross-Origin-Opener-Policy(COOP):Prevents third-parties from opening/controlling a window.
Relates to
rel="noopener"and CSP'sdisown-openerdirective, I think.The initially proposed name for this header was
Cross-Origin-Isolateand laterCross-Origin-Window-Policy. In Safari 12 this was implemented and renamed fromCross-Origin-Options.Cross-Origin-Resource-Policy(CORP):Enables authors to prevent other domains from loading resources by restricting any kind of cross-origin load to protect themselves against Spectre attacks.
This header was originally named
From-Origin. (Available in Safari 12).IDK; check for interoperability with CSP and
Access-Control-Allow-Origin?Yep, and
X-Frame-Options: whatwg/html#3740 (comment)Expect-CT:Feature-Policy(+Document-Policy):The HTTP
Feature-Policyheader provides a mechanism to allow and deny the use of browser features in its own frame, and in iframes that it embeds.+ Non-standard headers:
X-Download-Options:When this header is set with the value
noopenit prevents IE from displaying an "Open"-button after an HTML file is downloaded. This was introduced for IE 8 (support suggested for MS Edge) due to the fact that downloadeded HTML files that were opened directly would execute scripts in the context of the page.X-Permitted-Cross-Domain-Policies:This header specifies if/how a cross-domain policy-file (XML) is allowed. The file defines a policy to grant web clients, such as Adobe Flash Player or Adobe Acrobat (e.g. PDF files), permission to handle data across domains.
Considered a top-10 security header at OWASP.
Check for interoperability with
Cross-Origin-Resource-Policy, CSP andAccess-Control-Allow-Origin?Also @molant mentioned CORB.
The text was updated successfully, but these errors were encountered: