I'm unable to access my server to enable COOP and COEP headers, but I was able to add them via service worker by using the following script https://github.com/gzuidhof/coi-serviceworker, which registers a service worker that has the headers active.
I need COOP and COEP to enable SharedArrayBuffer
, which is restricted to avoid vulnerability to Spectre and Meltdown.
My question is whether adding the https headers via service worker poses a security risk, because the headers are not set at the server level.
At the bottom of this article, it argues that this is not a risk, https://dev.to/stefnotch/enabling-coop-coep-without-touching-the-server-2d3n
But I'd appreciate an explanation to better understand whether the service-worker approach is equivalently secure, or leaves open vulnerabilities.
Thanks!