Details
Alert ID 90004-2
Alert Type Passive
Status beta
Risk Low
CWE 693
WASC 14
Technologies Targeted All
Tags CWE-693
OWASP_2017_A03
OWASP_2021_A04
POLICY_PENTEST
POLICY_QA_STD
SYSTEMIC
More Info Scan Rule Help

Summary

Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don’t explicitly grant the document permission (using CORP or CORS).

Solution

Ensure that the application/web server sets the Cross-Origin-Embedder-Policy header appropriately, and that it sets the Cross-Origin-Embedder-Policy header to 'require-corp' for documents. If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Embedder-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-embedder-policy).

Other Info

References

Code

org/zaproxy/zap/extension/pscanrulesBeta/SiteIsolationScanRule.java