[4.0] Add Cross-Origin-Resource-Policy header to the core htaccess

[zero-24]

Summary of Changes

Add Cross-Origin-Resource-Policy header to the core htaccess it protect against certain cross-origin requests. More information can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)

cc @SniperSister @mikewest

Testing Instructions

• Apply the header to your htaccess
• notice the header is set

Expected result

The header is set

Actual result

The header is not set

[brianteeman]

Last time we updated the htaccess we added a postinstall message

[zero-24]

Last time we updated the htaccess we added a postinstall message

Yes I know this time we do this in a major release not a patch release, but I'm happy to add a postinstall when requested.

[brianteeman]

well dont forget people will be upgrading from 3 so wont know about the htaccess change if you dont tell them

[mikewest]

I'm not familiar at all with Joomla's internals, so it's not clear to me what set of resources this change would affect. It looks fairly sweeping! As y'all know, this will prevent cross-origin usage of all the resources that are tagged with this header. That's probably a great thing to do, and I'm excited to see y'all following up on it!

Still, it does seem reasonable to tell your users about that change, as some of them may rely upon static resources being available for same-site usage, or they might intentionally be making some set of resources available for cross-site embedding.

[zero-24]

Thanks @mikewest i have included the header in the main htaccess as usually our js, css, ... files should not be used by other origins.

I get the point of reporting to the users and will take a look into a postinstall message as suggested by @brainteeman.

[brianteeman]

Wont setting a cross-origin policy with these values prevent the loading of anything from a cdn loading and the same with any web fonts or am I completely misreading this

[zero-24]

You can still load anything from an cdn but your site can by default not be used as CDN. When you need this capitibily you have to set the cross-origin setting in the header.

[brianteeman]

ah - I had it the wrong way around. ;)

So this means that a page like this one would cause problems https://jandbeyond.org/banners.html if someone was to try and use the suggested code to embed the banner on their own site??

[zero-24]

Yes. In that case you have to set the cross origin header value. I think we have to make this clear in the postinstall.

We might also just set that header in a dedicated htaccess for the banners folder of the JAB site.

[joeforjoomla]

Pay attention to include such a thing by default... This would have the side effect to prevent all cross origin requests such as JSONP towards a Joomla website from an external website

[zero-24]

We can set the cross-origin setting for the API folder. Right? Or what do you think about?

[joeforjoomla]

That would be a B/C break for people that upgrades from J3 to J4
Personally i would not include a similar directive in the standard htaccess, i think that it's always better to leave this optional

[joeforjoomla]

In J4 there is the CSP component... why not just using it for similar thing instead? What's the sense of hardcoding this header in the default htaccess? I don't understand why to complicate life

[zero-24]

That would be a B/C break for people that upgrades from J3 to J4

Well, first things first we would be are allowed to do B/C breaks in majors. But the good thing is that this is not an B/C break at all as affected are only new installs as this PR changes (as usual) only the htaccess.txt file and not the active file used within the running installation. So any update will still have the old htaccess and therefor works like before this PR.

Personally i would not include a similar directive in the standard htaccess, i think that it's always better to leave this optional

It would be optional but recommended like the nosniff stuff nothing more nothing less.

In J4 there is the CSP component... why not just using it for similar thing instead?
What's the sense of hardcoding this header in the default htaccess?

The problem is when this header comes into account joomla is not booted up and can not add any headers. When you load an image from a website joomla does not get triggerd to do anything only the webserver so we need to directly tell it the webserver. :)

[joeforjoomla]

The problem is when this header comes into account joomla is not booted up and can not add any headers. When you load an image from a website joomla does not get triggerd to do anything only the webserver so we need to directly tell it the webserver. :)

Should not the CSP have an option to write to the htaccess as well?

[zero-24]

Should not the CSP have an option to write to the htaccess as well?

Yes we had but we decided to remove that option. Details can be found here: #24674 and #25754

[joeforjoomla]

Yes i read about that... but was not sure about the final decision...i agree to remove that option

[joeforjoomla]

Maybe just leave an option in the CSP to opt-in/opt-out the CORP directive writing/deleting it from the htaccess?

[zero-24]

Maybe just leave an option in the CSP to opt-in/opt-out the CORP directive writing/deleting it from the htaccess?

hmm I'm not sure whether it would make sense but i'm happy to try when we have found a solution for the mention issues. But please open a new issue for that as this would be bigger PR than just a few lines in the htaccess.txt file ;)

[brianteeman]

I am really reluctant to see this going in the core htaccess

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28068.}

[joeforjoomla]

Me too, very reluctant

[brianteeman]

To be clear the biggest problem with this rule being applied is that its not obvious. You build a web site with resources to share (perhaps banners in the example above). It works perfectly in development but users report that the banners just dont load. You check the embed code, you check the images exist, you check the dns, you shout at your host for having a firewall. You never would think to check the htaccess (thats just for sef isnt it) and even if you were to check it you would not guess that this rule with an obscure name is responsible. Applying this rule by default is creating problems not solving them. IF I know what I am doing then I can apply the rule myself and it will add questionable extra security.

[mbabker]

Agree with the concerns above. This is one of those things that are too opinionated to be a default configuration for a general purpose web platform.

[zero-24]

Ok got your point. Do we have besides the image folder any resources that should be allowed to be loaded cross-site?

On solution for that problem could be a default / suggested htaccess for the images folder than. ;)

Another way around would be that we ship the rule but by default it is disabled and we add a postinstall step / docs which mention that to protect the system.

[mbabker]

Ok got your point. Do we have besides the image folder any resources that should be allowed to be loaded cross-site?

Why is it Joomla's responsibility to decide what resources are hot-linkable across domains? This seems like a site owner's responsibility to define this policy, not the software's. The software's stance here should be providing documentation on why to use this rule and how to implement it appropriately for the end user's different use cases, not try to assume that 3% of the internet will arbitrarily use a default configuration because reasons.

[ot2sen]

Agree with the others here. It is a huge step to take on that kind of decision making from the users of the software.

How about making it a 'project recommended' #comment in the htaccess for those who would like to use it? With a link to how to like it was done for the htaccess changes for 3.9.3
https://docs.joomla.org/J3.x:Joomla_3.9.3_Security_Notes

Could that be a useable compromise? :)

[zero-24]

Could that be a useable compromise? :)

For me for sure. Just done that in that PR. We have to come up with a docs a page when this here has been accepted.

[carcam]

I have tested this item ✅ successfully on 73157c7

I have successfully tested this:

1. Apply test
2. copy htaccess.txt to .htaccess
3. Uncomment new content in the file
4. CORS is now set

   ---

   _{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28068.}

[chmst]

I have tested this item ✅ successfully on 73157c7

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28068.}

[zero-24]

RTC Thanks!

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28068.}

[wilsonge]

Thankyou!

[zero-24]

Thanks 👍