3

My project uses multiple threads and SharedArrayBuffer. In firefox, to use SharedArrayBuffer, your site needs to be cross origin isolated. This will also be coming to chrome and edge. So I isolated the site by setting these headers from the node.js server:

"Cross-Origin-Embedder-Policy" : "require-corp",
"Cross-Origin-Opener-Policy" : "same-origin",

This fixes the problem in firefox and removes the warnings in chrome and everything works as intended.

Now I am also using the youtube iframe api on the site. The videos get blocked due to cross origin isolation. It works when cross origin isolation is disabled. Is there any way to make it work?

enter image description here

This video on youtube tells that I will have to set a corp header or something for it to work but I dont understand that.

Ontropy
  • 130
  • 1
  • 12
  • This seems like correct behavior, since `require-corp` is intended to protect embedded content (the youtube iframe) from a potentially malicious host (your page trying to steal secrets from it). The embeddee (youtube) can declare origins it may be embedded from (that it trusts), but lacking that you may need to avoid using shared memory if offsite embeds are important to your use case. – tari Jul 09 '21 at 06:11
  • @tari no way around it? both features are quite important for the site. we'll be changing the server in a few months, I had been planning to remove SharedArrayBuffer then, but untill then I need to make the current stuff work. – Ontropy Jul 09 '21 at 06:41
  • 2
    Ultimately you would need a way to embed youtube in a way that youtube is satisfied you can't steal any secrets. If you specify `require-corp`, any embedded content *must* either permit that embedding via CORS (and putting a `crossorigin` attribute on your `iframe`) or CORP. Since Youtube doesn't appear to support either of those (either because they haven't bothered to, or don't have a way to serve a video such that it can't leak secrets to a malicious embedder), you can't satisfy the browser's security requirements to do what you want. – tari Jul 10 '21 at 08:09
  • In Chrome you can register for an origin trial which makes your website continue using SharedArrayBuffer without cross-origin isolation for some versions. https://developer.chrome.com/blog/enabling-shared-array-buffer/ Meanwhile, there's an idea to help iframes being loaded without CORS or CORP header is discussed: https://github.com/camillelamy/explainers/blob/master/anonymous_iframes.md – agektmr Jul 24 '21 at 15:15
  • 1
    There is an issue opened about this matter here https://issuetracker.google.com/issues/240387105 consider upvoting it to increase the chance of having it solved soon. – AlaricB Aug 05 '22 at 14:51

1 Answers1

2

This can be resolved by either youtube side by adding Cross-Origin-Resource-Policy (reported) or by a browser via <iframe anonymous> feature (status).

The feature is available in chrome 105 under flag --enable-blink-features=AnonymousIframe and can be tested on https://anonymous-iframe.glitch.me/ (look for "Status = Enabled")

Running chrome with the flag + <iframe src="https://www.youtube...." anonymous></iframe> does work

Yoz
  • 707
  • 6
  • 20
  • 1
    It's been renamed to `` since chrome 110. `window.isAnonymouslyFramed` has become `window.credentialless`. No flags needed starting from that version of chrome. – T. Dayya Feb 28 '23 at 09:56