Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reciprocating a Cross-Origin-Embedder-Policy (COEP) of require-corp #135

Open
jbcaprell opened this issue Mar 5, 2023 · 0 comments
Open

Reciprocating a Cross-Origin-Embedder-Policy (COEP) of require-corp #135

jbcaprell opened this issue Mar 5, 2023 · 0 comments

Comments

@jbcaprell
Copy link

This is a little niche, but I think maybe this:

phoenix_live_reload/lib/phoenix_live_reload/live_reloader.ex

Line 128 in 43b923b

|> put_resp_content_type("text/html")

… should be expanded to:

    |> merge_resp_headers([
      {"content-type", "text/html; charset=utf-8"},
      {"cross-origin-embedder-policy", "require-corp"},
      {"cross-origin-resource-policy", "cross-origin"}
    ])

… in order to allow for the target to set a Cross-Origin-Embedder-Policy of require-corp.

You can, I’ll note, make this square in Chrome as of January by setting iframe_attrs: [credentialless: "true"] as part of a given Endpoint’s :live_reload configuration, but that’s only true in Chrome. This seems to me like the more back-of-the-fence fix.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jbcaprell