securityiframeiframe-appcross-origin-embedder-policycross-origin-opener-policy

Cross-Origin-Embedder-Policy: how to allow only certain domains?


on a website I have to embed an iframe that requires the following headers on my website, since it needs the SharedArrayBuffer feature:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

Unfortunately, a 3rd party service IFRAME I still need in my page is not loading anymore. There's a way to allow a 3rd party domain even with the embedded-policy turned on?

Thanks. Dario.


Solution

  • The 3rd party website will have to add your domain in the content security policy response header:

    Response header from 3rd party website:

    "Content-Security-Policy: frame-ancestors 'self' https://*.yourdomain.com;";
    

    If you don't have control over it, there is nothing you can do.