htmlhttp-headerscross-origin-opener-policycross-origin-embedder-policy

Can COOP/COEP headers be set with meta tags (http-equiv)?


Can the Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy headers be set with <meta> tags, or can they only be set with actual headers? If not, is there a list of headers which can be set with meta tags?

The following example logs crossOriginIsolated: false to the console.

<!DOCTYPE html>
<html>
<head>
  <meta http-equiv="Cross-Origin-Embedder-Policy" content="require-corp">
  <meta http-equiv="Cross-Origin-Opener-Policy" content="same-origin">
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width">
  <title>COOP/COEP header test</title>
</head>
<body>
  <script>console.log("crossOriginIsolated:", self.crossOriginIsolated)</script>
</body>
</html>

If I remove those http-equiv meta tags and serve the file with actual HTTP headers, then it logs crossOriginIsolated: true (in both Chrome and Firefox). So it seems like I can't set these headers with meta tags?


Solution

  • No, they can't.

    According to this spec, http-equiv supports only a few HTTP headers. https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv.

    That means these headers can be set only as HTTP ("actual") headers by a server.
    Supporting them in HTML would be a security bug.