Skip to content

Reciprocating a Cross-Origin-Embedder-Policy (COEP) of require-corp #135

Description

@jbcaprell

This is a little niche, but I think maybe this:

|> put_resp_content_type("text/html")

… should be expanded to:

    |> merge_resp_headers([
      {"content-type", "text/html; charset=utf-8"},
      {"cross-origin-embedder-policy", "require-corp"},
      {"cross-origin-resource-policy", "cross-origin"}
    ])

… in order to allow for the target to set a Cross-Origin-Embedder-Policy of require-corp.

You can, I’ll note, make this square in Chrome as of January by setting iframe_attrs: [credentialless: "true"] as part of a given Endpoint’s :live_reload configuration, but that’s only true in Chrome. This seems to me like the more back-of-the-fence fix.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions