set cross-origin-resource-policy
niklasf opened this issue · 1 comments
niklasf commented
for local development without nginx, we will have to add the following header to all responses:
Cross-Origin-Resource-Policy: cross-origin
meanwhile using nginx on prod (note always, to include it despite non-2xx status code):
add_header Cross-Origin-Resource-Policy "cross-origin" always;
niklasf commented
Looks like WebSockets are exempt as per the specification (https://wicg.github.io/cross-origin-embedder-policy/#corp-check), and browsers have been updated to respect it (https://bugzilla.mozilla.org/show_bug.cgi?id=1634419).