Follow-up to #167.
Add a CloudFront Response Headers Policy that emits:
Cross-Origin-Resource-Policy: cross-origin
Context:
On a page that sets Cross-Origin-Embedder-Policy: require-corp (COEP), every cross-origin
subresource must satisfy the policy via either:
- CORP path — the response carries
Cross-Origin-Resource-Policy: cross-origin, or
- CORS path — the request is made in CORS mode (
crossorigin attribute on the tag) and the
response returns Access-Control-Allow-Origin.
#167 added support for the CORS path. This ticket would add support for the CORP path.
Benefits:
- Fixes the same class of problem for operators who never set
crossorigin (no per-site action).
- Covers the main bundle and any future subresources.
- Avoids the CORS round-trip on COEP pages.
- Optionally also add
Timing-Allow-Origin: * so cross-origin web-vitals timing isn't zeroed out.
Note: This document was produced during an AI-assisted code review session.
Follow-up to #167.
Add a CloudFront Response Headers Policy that emits:
Context:
On a page that sets
Cross-Origin-Embedder-Policy: require-corp(COEP), every cross-originsubresource must satisfy the policy via either:
Cross-Origin-Resource-Policy: cross-origin, orcrossoriginattribute on the tag) and theresponse returns
Access-Control-Allow-Origin.#167 added support for the CORS path. This ticket would add support for the CORP path.
Benefits:
crossorigin(no per-site action).Timing-Allow-Origin: *so cross-origin web-vitals timing isn't zeroed out.