[TIL] 211220

dev·2021년 12ė›” 20ėž
TILcors
1

TIL

ëŠĐ록 ëģīęļ°
124/204
post-thumbnail

📝 ė˜Ī늘 한 ęēƒ

  1. Credentialed Request ė—ëŸŽ í•īęē°

📚 ë°°ėšī ęēƒ

1. 배폎

1) Herokuė— 배폎

(1) Credentialed Request ė—ëŸŽ í•īęē° ðŸ”Ĩ

ė•žė„œ SharedArrayBuffer ė‚ŽėšĐęģž ęī€ë Ļí•ī ė—ëŸŽę°€ 발ėƒí–ˆė„ 때 ė•„래 ė―”ë“œëĨž ėķ”ę°€í•˜ė—Ž í•īęē°í–ˆė—ˆë‹Ī.

app.use((req, res, next) => {
  res.header("Cross-Origin-Embedder-Policy", "require-corp");
  res.header("Cross-Origin-Opener-Policy", "same-origin");
  next();
});

ėī로 ėļí•ī github 프로필 ėīëŊļė§€ę°€ ëœĻė§€ ė•Šė•˜ë˜ ëŽļė œëŠ” img 태ę·ļė— crossorigin ė†ė„ąė„ ėķ”ę°€í•˜ė—Ž í•īęē°í–ˆë‹Ī.

ę·ļ런데 AWSëĨž ėīėšĐ하ë Īęģ  ė„Īė •í•˜ëŠ” ęģžė •ė—ė„œ ėœ„ ė―”ë“œëĄœ ėļí•ī 또 ë‹Īė‹œ ėīëŊļė§€ę°€ ė œëŒ€ëĄœ 나ė˜Īė§€ ė•ŠėœžëĐīė„œ ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 200 ė—ëŸŽę°€ 발ėƒí–ˆë‹Ī.

SharedArrayBufferëĨž ė‚ŽėšĐ하ëĐīė„œë„ ë‹ĪëĨļ ėķœėē˜ëĄœëķ€í„° ëĶŽė†ŒėŠĪëĨž 가ė ļė˜Īęļ° ėœ„í•ī, ėē˜ėŒė—ëŠ” ė•„래ė™€ 같ėī cross-origin-resource-PolicyëĨž cross-originėœžëĄœ ė§€ė •í–ˆė§€ë§Œ, ė—ëŸŽëŠ” í•īęē°ë˜ė§€ ė•Šė•˜ë‹Ī.

app.use((req, res, next) => {
  res.header("Cross-Origin-Embedder-Policy", "require-corp");
  res.header("Cross-Origin-Opener-Policy", "same-origin");
  res.header("cross-origin-resource-Policy", "cross-origin");
  next();
});

ę·ļ럮던 ėĪ‘ ėī ęļ€ė„ 발ęēŽí–ˆë‹Ī.
CORS는 ė™œ ėī렇ęēŒ ėš°ëĶŽëĨž 힘ë“ĪęēŒ 하는ęąļęđŒ? ė œëŠĐ 너ëŽī ėž˜ė§€ėœžė…Ļ

ë‚ī가 ëģīë‚īęģ  ėžˆëŠ” ėš”ėē­ėī Credentialed Request띾는 ęēƒė„ ė•ŒęēŒ 됐ë‹Ī.
ę·ļ럮나, ė„Ī멅ė„ ė°ļęģ í•ī ė‘ë‹ĩ í—Ī더ė— Access-Control-Allow-Credentials: trueëĨž ë„Ģė–īėĢžė—ˆė§€ë§Œ, ė—Žė „히 í•īęē°ė€ 되ė§€ ė•Šė•˜ë‹Ī.

app.use((req, res, next) => {
  res.header("Cross-Origin-Embedder-Policy", "require-corp");
  res.header("Cross-Origin-Opener-Policy", "same-origin");
  res.header("cross-origin-resource-Policy", "cross-origin");
  res.header("Access-Control-Allow-Credentials", "true");
  next();
});

개발ėž 도ęĩŽ ë„ĪíŠļė›ŒíŽ 탭ė˜ ė‘ë‹ĩ í—Ī더ė—ė„œ ëŽļė œ 탭ė— ë“Īė–ī가니ęđŒ ė•„래ė™€ 같ė€ ė•ˆë‚ī가 ë–īë‹Ī.
마ė§€ë§‰ ëŽļë‹Ļėī í•īęē° ë°Đëē•ėī 될 ėˆ˜ë„ ėžˆė„ ęą° 같ė•„ ė‹œë„í•īëģīë Īęģ  했ė§€ë§Œ, ėīëĶ„ėī 너ëŽī ëŽī턱대ęģ  ė ėšĐ하ëĐī ė•ˆë  ęēƒ 같ėī ėƒęēĻė„œ ęē€ėƒ‰í•īëīĪë‹Ī.

Because your site has the Cross-Origin Embedder Policy (COEP) enabled, each resource must specify a suitable Cross-Origin Resource Policy (CORP).
This behavior prevents a document from loading cross-origin resources which don’t explicitly grant permission to be loaded.

To solve this, add the following to the resource’ response header:

Cross-Origin-Resource-Policy: same-site
if the resource and your site are served from the same site.

Cross-Origin-Resource-Policy: cross-origin
if the resource is served from another location than your website. → ėē˜ėŒė— ė‹œë„했던 ë°Đëē•ėīė§€ë§Œ ėīęąļ로 í•īęē°ë˜ė§€ ė•Šė•˜ë‹Ī.
If you set this header, any website can embed this resource.

Alternatively, the document can use the variant:
Cross-Origin-Embedder-Policy: credentialless instead of require-corp.
It allows loading the resource, despite the missing CORP header, at the cost of requesting it without credentials like Cookies.

ę·ļëĶŽęģ  ėī ęļ€ė„ 발ęēŽí–ˆë‹Ī.
Cross-Origin-Embedder-Policy: credentialless

In this new COEP variant, cross-origin no-cors subresource requests would be sent without credentials.
Specific requests which require credentials can opt-into including them, at the cost of shifting the request’s mode to require a CORS check on the response.
This bifurcation between credentiallessness and CORS means either that servers don’t have browser-provided identifiers which could be used to personalize a response (see the isolation section below), or that they explicitly opt-in to exposing the response’s content to the requesting origin.

As an example, consider a developer who wishes to load an image into a context isolated in the way described above. The < img > element has a crossorigin attribute which allows developers to alter the outgoing request’s state. In this new mode, the following table describes the outgoing request’s properties in Fetch’s terms for various values:

ResourceRequest’s ModeRequest’s Credentials Mode includeCredentialsCOEP:unsafe-noneincludeCredentials COEP:credentialless
< img src="https://same-origin/" >same-originincludetruetrue
< img src="https://same-origin/" >same-originincludetruetrue
< img src="https://cross-origin/" >no-corsincludetruefalse
< img src="https://cross-origin/" crossorigin="anonymous" >no-corsomitfalsefalse
< img src="https://cross-origin/" crossorigin="use-credentials" >corsincludetruetrue

ėīëĨž ė°ļęģ í•ī ėžë‹Ļ Cross-Origin-Embedder-PolicyëĨž credentialless로 ė„Īė •í–ˆë‹Ī.
ę·ļëĶŽęģ  ėī로 ėļí•ī ëŽļė œę°€ 될 ėˆ˜ ėžˆëŠ” ëķ€ëķ„ë“Ī, ėĶ‰ 가ė ļė˜Ī는데 ėžęēĐ ėĶëŠ…ė„ 필ėš”ëĄœ 하는 img(github 로ę·ļėļ userė˜ 프로필 ė‚Žė§„)ė—ëŠ” crossorigin="use-credentials" ė†ė„ąė„ ëķ€ė—Ží–ˆë‹Ī.

// server.js
app.use((req, res, next) => {
  res.header("Cross-Origin-Embedder-Policy", "credentialless");
  res.header("Cross-Origin-Opener-Policy", "same-origin");
  next();
});
//- header.pug & profile.pug
img(src=loggedInUser.avatarUrl, crossorigin="use-credentials").profile-img

드디ė–ī ėīëŊļė§€ę°€ ė •ėƒė ėœžëĄœ ëœĻ는 ęēƒė„ 확ėļ했ë‹Ī.

ėīė œ 파ėžė€ ė„œëē„ę°€ ė•„니띞 AWSė— ė €ėžĨ되ęļ° 때ëŽļė— git pushëĨž í†ĩí•ī ė„œëē„ëĨž ėƒˆëĄœ ëđŒë“œí•ī도 파ėžė€ ė§€ė›Œė§€ė§€ ė•ŠëŠ”ë‹Ī. ę·ļ럮나...


âœĻ ë‚īėž 할 ęēƒ

  1. ė—ëŸŽëŠ” ęģ„ė†ëœë‹Ī
profile
dev
dev log
ėīė „ 폎ėŠĪíŠļ

[TIL] 211219

ë‹ĪėŒ 폎ėŠĪíŠļ

[TIL] 211221

2개ė˜ 댓ęļ€

comment-user-thumbnail
Dana
2022년 6ė›” 3ėž

덕ëķ„ė— ė—ëŸŽëĨž í•īęē°í–ˆėŠĩ니ë‹Ī.. 감ė‚Ží•Đ니ë‹Ī..

ë‹ĩęļ€ 닮ęļ°
comment-user-thumbnail
ęĩŽë 
2023년 2ė›” 16ėž

감ė‚Ží•Đ니ë‹Ī

ë‹ĩęļ€ 닮ęļ°