
Or how to modify security headers clientside.


Ever since the rather impressive Meltdown and Spectre attacks, browser vendors had to clamp down on shared memory and high resolution timers. While this conveniently means that the casual user doesn't have to work about phantom trolleys, it can be an irritating restriction for a developer. Some APIs got limited, while others were completely disabled unless one does a little dance to appease the web browser.


This means that certain web-applications have an additional hurdle to overcome.


A few examples of web-applications that have this problem are in-browser video converters using ffmpeg.wasm, a web-based notebook that supports Python and multithreaded Emscripten applications.


The Problem


The following APIs are unavailable by default


  • SharedArrayBuffer
  • SharedArrayBuffer
  • Atomics
  • Atomics

To re-enable them, the site needs to be served over HTTPS[1] and two headers need to be set. The headers, which have to be set server side[2], are


  • Cross-Origin-Opener-Policy: same-origin

    Cross-Origin-Opener-Policy: same-origin

  • Cross-Origin-Embedder-Policy: require-corp

    Cross-Origin-Embedder-Policy: require-corp

This can be quite a challenge for a number of reasons. It is not always a walk in the park for a frontend developer to control the headers that the backend sends. Static frontend applications are becoming more widespread. It is quite common that one uses a CDN which simply doesn't support setting custom HTTP headers. I personally needed a solution, as I was deploying a web-based computer algebra system on GitHub pages.



ホーム - Wiki
Copyright © 2011-2024 iteam. Current version is 2.132.0. UTC+08:00, 2024-09-21 15:41
浙ICP备14020137号-1 $お客様$