|
Details
|
|
Alert Id
|
90004-2 |
|
Alert Type
|
Passive Scan Rule |
|
Status
|
alpha |
|
Risk
|
Low |
|
CWE
|
16
|
|
WASC
|
14 |
Summary
Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS).
Solution
Ensure that the application/web server sets the Cross-Origin-Embedder-Policy header appropriately, and that it sets the Cross-Origin-Embedder-Policy header to 'require-corp' for documents. If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Embedder-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-embedder-policy).
References
Code
org/zaproxy/zap/extension/pscanrulesAlpha/SiteIsolationScanRule.java