Resource Isolation Policy

November 30, 2020

Resource Isolation Policy prevents external websites from requesting your resources. Blocking such traffic mitigates common web vulnerabilities such as CSRF, XSSI, or XS-Leaks. The policy can be enabled for applications whose endpoints are not intended to be loaded in a cross-site context and will allow resource requests coming from your application as well as direct navigations.

Implementation with Fetch Metadata #

The below snippet showcases an example implementation of the Resource Isolation Policy with the use of Fetch Metadata headers:

# Reject cross-origin requests to protect from , XSSI, XS-Leaks, and other bugs
def allow_request(req):
  # [OPTIONAL] Exempt paths/endpoints meant to be served cross-origin.
  if req.path in ('/my_CORS_endpoint', '/favicon.png'):
    return True

  # Safe to set `Cross-Origin-Resource-Policy: same-site`. (see Considerations)

  # Allow requests from browsers which don't send Fetch Metadata
  if not req['headers']['sec-fetch-site']:
    return True

  # Allow same-site and browser-initiated requests
  if req['headers']['sec-fetch-site'] in ('same-origin', 'same-site', 'none'):
    return True

  # Allow simple top-level navigations, this includes embeds
  if req['headers']['sec-fetch-mode'] == 'navigate' and req.method == 'GET':
      return True

  # Reject all other requests
  return False

Considerations #

It should be safe to set a Cross-Origin-Resource-Policy: same-site response header on all requests that have not explicitly been exempted from Resource Isolation Policy. See CORP.

Deployment #

Check out this web.dev article to learn more about this protection, some different policies, and tips on how to deploy it.