on a website I have to embed an iframe that requires the following headers on my website, since it needs the SharedArrayBuffer feature:
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Unfortunately, a 3rd party service IFRAME I still need in my page is not loading anymore. There's a way to allow a 3rd party domain even with the embedded-policy turned on?
Thanks. Dario.
If the document loaded into iframe is cross-origin, it needs to send the following two headers:
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: cross-origin
If it's difficult, please register for an origin trial to temporarily exempt the requirement from your domain. This will let your website use SharedArrayBuffer without COOP/COEP headers at least on Chrome.
In the meantime, the standard body is working to introduce an option to load iframe without requiring those headers. Learn more at:
https://github.com/camillelamy/explainers/blob/master/anonymous_iframes.md
The 3rd party website will have to add your domain in the content security policy response header:
Response header from 3rd party website:
"Content-Security-Policy: frame-ancestors 'self' https://*.yourdomain.com;";
If you don't have control over it, there is nothing you can do.
You need control over the domain you want to embed to remove/amend its CORS policy. It the domain has explicitely blocked Cross-Origin requests, there's nothing you can do about it.
This is used to avoid anyone hijacking any site you want (you could have a full screen Google in an iframe running with your ads on top on bettergoogle.com, things like that). This will help out read this one
