This feature is only shown in the feature list to users with edit access.

Enforce Cross-Origin-Embedder-Policy in SharedWorker. Cross-Origin-Embedder-Policy HTTP header prevents documents and workers from loading cross-origin resources without an explicit opt-in, either with CORS or CORP. This was previously shipped for: Document, DedicatedWorker, and ServiceWorker. Now we want to bring support for SharedWorker.

Motivation

Support COEP inside SharedWorker (M96) When used, it restricts the set of cross-origin resources the SharedWorker can fetch. An explicit opt-in via CORS or CORP is required from the cross-origin server. In the future, this will gate the crossOriginIsolated capability for SharedWorker, but this isn't implemented here.

Documentation

Specification

Specification link


Final published standard: Recommendation, Living Standard, Candidate Recommendation, or similar final form

Status in Chromium

Blink>SecurityFeature>COEP


In developer trial (Behind a flag) (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • In development
  • No signal
  • N/A
  • No signals

Owners

Comments

We previously shipped COEP, but postponed the implementation for SharedWorker. - https://groups.google.com/a/chromium.org/g/blink-dev/c/XBKAGb2_7uA/m/TDg_AkQbAAAJ - https://www.chromestatus.com/feature/5642721685405696 This intent bridges the gap. This is already part of the HTML specification.

Search tags

coep, sharedworker, coop,

Last updated on 2021-09-07