CORP Leaks

CORP Leaks

October 1, 2020
Abuse Browser Feature
Category Attack
Defenses Fetch Metadata, SameSite Cookies

Explanation #

Cross-Origin Resource Policy (CORP) is a web platform security feature that allows websites to prevent certain resources from being loaded by other origins. This protection complements CORB since it is an opt-in defense, whereas CORB blocks some cross-origin reads by default. Unfortunately, similar to CORB, applications can introduce a new XS-Leak if they misconfigure the use of this protection.

A webpage will introduce an XS-Leak if CORP is enforced based on user data. If a page search feature enforces CORP when showing results, but doesn’t do so when returning no results, an attacker will be able to distinguish the two scenarios. This occurs because a page/resource protected by CORP will return an error when fetched cross-origin.

Defense #

An application can avoid this XS-Leak if it guarantees CORP is deployed in all application resources/endpoints. Moreover, generic security mechanisms that allow the invalidation of cross-site requests will also help prevent this attack.

SameSite Cookies (Lax) COOP Framing Protections Isolation Policies
✔️ RIP 🔗 NIP

🔗 – Defense mechanisms must be combined to be effective against different scenarios.