on a website I have to embed an iframe that requires the following headers on my website, since it needs the SharedArrayBuffer feature:
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Unfortunately, a 3rd party service IFRAME I still need in my page is not loading anymore. There's a way to allow a 3rd party domain even with the embedded-policy turned on?
Thanks. Dario.
On
You need control over the domain you want to embed to remove/amend its CORS policy. It the domain has explicitely blocked Cross-Origin requests, there's nothing you can do about it.
This is used to avoid anyone hijacking any site you want (you could have a full screen Google in an iframe running with your ads on top on bettergoogle.com, things like that). This will help out read this one
On
If the document loaded into iframe is cross-origin, it needs to send the following two headers:
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: cross-origin
If it's difficult, please register for an origin trial to temporarily exempt the requirement from your domain. This will let your website use SharedArrayBuffer without COOP/COEP headers at least on Chrome.
In the meantime, the standard body is working to introduce an option to load iframe without requiring those headers. Learn more at:
https://github.com/camillelamy/explainers/blob/master/anonymous_iframes.md
The 3rd party website will have to add your domain in the content security policy response header:
Response header from 3rd party website:
If you don't have control over it, there is nothing you can do.