You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: files/en-us/web/security/practical_implementation_guides/corp/index.md
+16-3Lines changed: 16 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -37,14 +37,27 @@ Instruct browsers to disallow cross-origin requests made in `no-cors` mode:
37
37
Cross-Origin-Resource-Policy: same-origin
38
38
```
39
39
40
-
Instruct browsers to allow cross-origin resource access, including access to features with unthrottled timers (such as {{jsxref("SharedArrayBuffer")}} objects or {{domxref("Performance.now()")}}):
40
+
To enable {{jsxref("SharedArrayBuffer")}} and {{domxref("Performance.now()")}}, the document must be cross-origin isolated environment. Include the following headers on the document:
41
41
42
42
```http
43
-
Cross-Origin-Resource-Policy: same-origin
43
+
Cross-Origin-Opener-Policy: same-origin
44
44
Cross-Origin-Embedder-Policy: require-corp
45
45
```
46
46
47
-
This also permits such resources to be embedded.
47
+
A page using `Cross-Origin-Embedder-Policy`: `require-corp` may only load resources that explicitly allow being embedded.
48
+
Resources can opt in using either:
49
+
50
+
**Cross-Origin-Resource-Policy (CORP):**
51
+
```http
52
+
Cross-Origin-Resource-Policy: cross-origin
53
+
```
54
+
**or CORS:**
55
+
56
+
```http
57
+
Access-Control-Allow-Origin: https://example.com
58
+
```
59
+
60
+
CORP and CORS do not themselves enable SharedArrayBuffer they only allow resources to be loaded under COEP so that isolation is maintained.
0 commit comments