Cross-Origin-Embedder-Policy

Johan_Rabie · October 10, 2022, 9:09pm

I am trying to set up cors values:
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

as per

To be honest, I don’t really know what I am doing

in the Caddyfile

(cors) {
	@origin header Origin {args.0}
	header @origin Access-Control-Allow-Origin "{args.0}"
	header @origin Access-Control-Allow-Methods "OPTIONS,HEAD,GET,POST,PUT,PATCH,DELETE"
	header @origin Cross-Origin-Embedder-Policy: require-corp
    header @origin Cross-Origin-Opener-Policy: same-origin
}

localhost {
    encode gzip
    file_server browse
    import cors localhost
}

The above obviously does not work so the question is,
how do I need to change the config so that embedder and opener policy would reflect in the browser?

francislavoie · October 11, 2022, 5:29am

Remove the : after the header fields.

You don’t need to apply the @origin matcher every time, instead you can write it like this:

(cors) {
	@origin header Origin {args.0}
	header @origin {
		Access-Control-Allow-Origin "{args.0}"
		Access-Control-Allow-Methods "OPTIONS,HEAD,GET,POST,PUT,PATCH,DELETE"
		Cross-Origin-Embedder-Policy require-corp
		Cross-Origin-Opener-Policy same-origin
	}
}

That said, please fill out the help topic template, as per the forum rules. We need to see your logs to see what’s going on.

Make a request with curl -v -H'Origin: localhost' https://localhost to test it out.

You’ll need to be more specific. What doesn’t work? And what’s your evidence that it doesn’t work? We can’t guess what you’re seeing.

Johan_Rabie · October 11, 2022, 6:27am

I updated my caddyfile as per your example, thank you for that so by the way

(cors) {
	@origin header Origin {args.0}
	header @origin {
		Access-Control-Allow-Origin "{args.0}"
		Access-Control-Allow-Methods "OPTIONS,HEAD,GET,POST,PUT,PATCH,DELETE"
		Cross-Origin-Embedder-Policy require-corp
		Cross-Origin-Opener-Policy same-origin
	}
}

localhost {
    encode gzip
    file_server browse
    import cors localhost
}

running caddy using caddy start and trying to use the curl command you provided I got a mixed bag of messages.

* Could not resolve host: localhost'
* Closing connection 0
curl: (6) Could not resolve host: localhost'
*   Trying 127.0.0.1:443...
* Connected to localhost (127.0.0.1) port 443 (#1)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
* Closing connection 1
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

So I had a look in the browser (chrome) to see if it is reflecting the right values.

The policies does not seem to reflect in the browser and so the features fail.

Caddy version : 2.5.2

I also tried setting require-corp to “require-corp” and same-origin to “same-origin” but did not seem to make a difference.

Johan_Rabie · October 13, 2022, 9:25am

Sooo anyone out there that can please explain this to me?, would be much appreciated

Whitestrake · October 14, 2022, 4:58am

Hi @Johan_Rabie,

Going forward, could you please put all configuration and logs in code fences, i.e. triple backticks (```) on lines before and after the text, exactly as you have done it in your original post. This makes things much more readable - thanks!

The result from curl is showing some SSL issues. Specifically, revocation issues. Try:

curl -v -H'Origin: localhost' --ssl-no-revoke https://localhost

And post the full output in code fences. What we want to confirm is that your Caddy server is setting the headers you expect correctly. A good result will have a full request and response, including the headers.

system · November 9, 2022, 9:10pm

This topic was automatically closed after 30 days. New replies are no longer allowed.