This feature is only shown in the feature list to users with edit access.

Enforce Cross-Origin-Embedder-Policy in SharedWorker. Cross-Origin-Embedder-Policy HTTP header prevents documents and workers from loading cross-origin resources without an explicit opt-in, either with CORS or CORP. This was previously shipped for: Document, DedicatedWorker, and ServiceWorker. Now we want to bring support for SharedWorker.

Motivation

Support COEP inside SharedWorker (M96) When used, it restricts the set of cross-origin resources the SharedWorker can fetch. An explicit opt-in via CORS or CORP is required from the cross-origin server. In the future, this will gate the crossOriginIsolated capability for SharedWorker, but this isn't implemented here.

Documentation

• https://docs.google.com/document/d/1mpIKhBhsx4deZXu3C2bnie5LSbzumjD1m6uhJx-hPQA/edit?usp=sharing

Specification

Specification link

Status: Final published standard: Recommendation, Living Standard, Candidate Recommendation, or similar final form

Status in Chromium

Blink components: Blink>SecurityFeature>COEP

Implementation status: In developer trial (Behind a flag) (tracking bug)

Consensus & Standardization

• Firefox: In development
• Safari: N/A
• Web Developers: No signals

Owners

• lyf@chromium.org
• arthursonzogni@chromium.org

Comments

We previously shipped COEP, but postponed the implementation for SharedWorker. - https://groups.google.com/a/chromium.org/g/blink-dev/c/XBKAGb2_7uA/m/TDg_AkQbAAAJ - https://www.chromestatus.com/feature/5642721685405696 This intent bridges the gap. This is already part of the HTML specification.

Search tags

Last updated on 2021-09-07