Cross-Origin-Embedder-Policy: how to allow only certain domains?

Question

on a website I have to embed an iframe that requires the following headers on my website, since it needs the SharedArrayBuffer feature:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

Unfortunately, a 3rd party service IFRAME I still need in my page is not loading anymore. There's a way to allow a 3rd party domain even with the embedded-policy turned on?

Thanks. Dario.

Answer 1

If the document loaded into iframe is cross-origin, it needs to send the following two headers:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: cross-origin

If it's difficult, please register for an origin trial to temporarily exempt the requirement from your domain. This will let your website use SharedArrayBuffer without COOP/COEP headers at least on Chrome.

In the meantime, the standard body is working to introduce an option to load iframe without requiring those headers. Learn more at:

https://github.com/camillelamy/explainers/blob/master/anonymous_iframes.md

Answer 2

The 3rd party website will have to add your domain in the content security policy response header:

Response header from 3rd party website:

"Content-Security-Policy: frame-ancestors 'self' https://*.yourdomain.com;";

If you don't have control over it, there is nothing you can do.

Answer 3

You need control over the domain you want to embed to remove/amend its CORS policy. It the domain has explicitely blocked Cross-Origin requests, there's nothing you can do about it.

This is used to avoid anyone hijacking any site you want (you could have a full screen Google in an iframe running with your ads on top on bettergoogle.com, things like that). This will help out read this one