Today I received an email from Google:
New requirements for SharedArrayBuffers on https://example.com/
Google systems have recently detected that SharedArrayBuffers (SABs) are used on https://example.com/, but COOP and/or COEP headers are not served.
For web compatibility reasons, Chrome is planning to require COOP/COEP for the use of SABs from Chrome 91 (2021-25-05) onwards. Please implement 'cross-origin-isolated' behaviour on your site.
I have been reading up about this, this afternoon, but am totally lost!
I make a lot of use on my site of things like:
- Adverts from Freestar.io
- Static content (JS, CSS and some images) hosted in an AWS bucket
- Content from Youtube and Vimeo in iframes
- Bootstrap CSS and JS and jQuery from various CDNs
I have checked the headers from the CDNs, and can see the cross-origin-resource-policy is set to cross-origin and so, if I set these headers on my site:
Cross-Origin-Embedder-Policy = require-corp
Cross-Origin-Opener-Policy = same-origin
Then the content from CDNs where content that is served whose headers contain the cross-origin-resource-policy: cross-origin header, can be displayed as long as I include the crossorigin option e.g. here:
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.0/css/bootstrap.min.css" crossorigin>
However, I have looked at various other sites, and they do not have those headers. Those sites include the following:
- AWS
- Freestar.io Advert
- Youtube and Vimeo
My questions are:
- Does anyone know if it is possible to configure an AWS bucket so that the content served by the bucket includes the
cross-origin-resource-policyheader? I have searched but cannot find anything to explain how to do that. - Will adverts and videos no longer be displayed once the Chrome change to
require COOP/COEP for the use of SABsis implemented, and if so, is that just something I am stuck with and can do nothing about since I have no way to make the external sites include that header in the content they serve?
