Can the Cross-Origin-Embedder-Policy
and Cross-Origin-Opener-Policy
headers be set with <meta>
tags, or can they only be set with actual headers? If not, is there a list of headers which can be set with meta tags?
The following example logs crossOriginIsolated: false
to the console.
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Cross-Origin-Embedder-Policy" content="require-corp">
<meta http-equiv="Cross-Origin-Opener-Policy" content="same-origin">
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>COOP/COEP header test</title>
</head>
<body>
<script>console.log("crossOriginIsolated:", self.crossOriginIsolated)</script>
</body>
</html>
If I remove those http-equiv
meta tags and serve the file with actual HTTP headers, then it logs crossOriginIsolated: true
(in both Chrome and Firefox). So it seems like I can't set these headers with meta tags?
No, they can't.
According to this spec, http-equiv
supports only a few HTTP headers.
https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv.
That means these headers can be set only as HTTP ("actual") headers by a server.
Supporting them in HTML would be a security bug.