Cross-Origin Embedder Policy and loading javscript

Question

I have a website on server A with Cross-Origin Embedder Policy = RequireCorp header that fetches a script from server B (A and B are different origins and both owned by me).

• There are multiple servers like A with different domains that need to fetch this script from B

I'm receiving the following error: net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 200

I see two ways to fix this:

1. Add Cross-Origin-Resource-Policy cross-origin header to server B.

2. Add crossorigin tag to this specific script tag

What are the differences between those two solutions?

Answer 1

If you own both servers, the difference is probably not so big, because CORS is about preventing cross-origin requests from a malicious website to a victimized server.

With alternative #1, the Cross-Origin-Resource-Policy header must have the value cross-origin, which you may not want to set in general, but depending on the Origin header of the request.

With alternative #2, the Access-Control-Allow-Origin header could have a more restricted value like https://serverA.of.your.website. By this you could better restrict access without having to evaluate the Origin header of the request. But since you have multiple such servers A, that does not help you much.