I have a website on server A with Cross-Origin Embedder Policy = RequireCorp header that fetches a script from server B (A and B are different origins and both owned by me).
- There are multiple servers like A with different domains that need to fetch this script from B
I'm receiving the following error: net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 200
I see two ways to fix this:
Add Cross-Origin-Resource-Policy cross-origin header to server B.
Add crossorigin tag to this specific script tag
What are the differences between those two solutions?
If you own both servers, the difference is probably not so big, because CORS is about preventing cross-origin requests from a malicious website to a victimized server.
With alternative #1, the
Cross-Origin-Resource-Policy
header must have the valuecross-origin
, which you may not want to set in general, but depending on theOrigin
header of the request.With alternative #2, the
Access-Control-Allow-Origin
header could have a more restricted value likehttps://serverA.of.your.website
. By this you could better restrict access without having to evaluate theOrigin
header of the request. But since you have multiple such servers A, that does not help you much.