While Cross-Origin-Opener-Policy is set to "same-origin", I'm getting 90004
36 views
Skip to first unread message
Yegor Bugayenko
Jan 29, 2025, 8:00:37 AMJan 29
to ZAP User Group
This is my Cross-Origin-Opener-Policy header: same-origin. However, I'm getting this error: Insufficient Site Isolation Against Spectre Vulnerability [90004]
```
$ curl -v http://localhost:4567/robots.txt
* Host localhost:4567 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:4567...
* connect to ::1 port 4567 from ::1 port 59927 failed: Connection refused
* Trying 127.0.0.1:4567...
* Connected to localhost (127.0.0.1) port 4567
* using HTTP/1.x
> GET /robots.txt HTTP/1.1
> Host: localhost:4567
> User-Agent: curl/8.11.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Content-Type: text/plain;charset=utf-8
< Content-Security-Policy: base-uri 'self'; default-src 'none'; frame-ancestors 'none'; require-trusted-types-for 'script'; form-action 'self'; script-src 'self' 'strict-dynamic' 'unsafe-inline' code.jquery.com 'sha384-tsQFqpEReu7ZLhBV2VZlAu7zcOV+rXbYlF2cqB8txI/8aZajjp4Bqd+V6D5IgvKT' 'sha384-4D3G3GikQs6hLlLZGdz5wLFzuqE9v4yVGAcOH86y23JqBDPzj9viv0EqyfIa6YUL'; style-src 'self' 'unsafe-inline' cdn.jsdelivr.net cdnjs.cloudflare.com ; img-src 'self' raw.githubusercontent.com ; font-src 'self' cdnjs.cloudflare.com ;
< Permissions-Policy: camera=(), microphone=(), geolocation=(), fullscreen=()
< Cross-Origin-Opener-Policy: same-origin
< X-Zerocracy-Version: 0.1892
< Content-Length: 29
< Server: unknown
< Vary: Accept-Encoding
< X-Content-Type-Options: nosniff
< Date: Wed, 29 Jan 2025 12:30:48 GMT
< Connection: Keep-Alive
<
User-agent: *
* Connection #0 to host localhost left intact
```
Any ideas?
A better formatted question is here: https://github.com/zaproxy/zaproxy/issues/8832
kingthorin+zap
Jan 29, 2025, 11:15:08 AMJan 29
to ZAP User Group
You'd need to actually provide the response that ZAP saw/analyzed. I understand that you're using this in CI/CD with a packaged scan. So unfortunately you don't have access to that, but without it there's no way for us to really answer the question.
While not impossible it is quite doubtful that this is the first we're hearing of the rule being wrong, finding (or not) headers/values is a pretty sure thing.
One thing to check is if those URLs are actually redirecting, in which case try to make the curl request without following the redirect.
Yegor Bugayenko
Jan 31, 2025, 5:50:39 AMJan 31
to ZAP User Group
The problem was solved by setting three headers, instead of one:
Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Maybe, it's worth updating ZAP documentation at this page: https://www.zaproxy.org/docs/alerts/90004-3/ (may be helpful for others to fight with this problem).
Cross-Origin-Embedder-Policy: require-corp
Maybe, it's worth updating ZAP documentation at this page: https://www.zaproxy.org/docs/alerts/90004-3/ (may be helpful for others to fight with this problem).
Reply all
Reply to author
Forward
0 new messages