CORP Leaks
October 1, 2020
Explanation #
Cross-Origin Resource Policy (CORP) is a web platform security feature that allows websites to prevent certain resources from being loaded by other origins. This protection complements CORB since it is an opt-in defense, whereas CORB blocks some cross-origin reads by default. Unfortunately, similar to CORB, applications can introduce a new XS-Leak if they misconfigure the use of this protection.
A webpage will introduce an XS-Leak if CORP is enforced based on user data. If a page search feature enforces CORP when showing results, but doesn’t do so when returning no results, an attacker will be able to distinguish the two scenarios. This occurs because a page/resource protected by CORP will return an error when fetched cross-origin. Run demo
Defense #
An application can avoid this XS-Leak if it guarantees CORP is deployed in all application resources/endpoints. Moreover, generic security mechanisms that allow the invalidation of cross-site requests will also help prevent this attack.
| SameSite Cookies (Lax) | COOP | Framing Protections | Isolation Policies |
|---|---|---|---|
| ✔️ | ❌ | ❌ | RIP 🔗 NIP |
🔗 – Defense mechanisms must be combined to be effective against different scenarios.