on a website I have to embed an iframe that requires the following headers on my website, since it needs the SharedArrayBuffer feature:
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Unfortunately, a 3rd party service IFRAME I still need in my page is not loading anymore. There's a way to allow a 3rd party domain even with the embedded-policy turned on?
Thanks. Dario.
The 3rd party website will have to add your domain in the content security policy response header:
Response header from 3rd party website:
"Content-Security-Policy: frame-ancestors 'self' https://*.yourdomain.com;";
If you don't have control over it, there is nothing you can do.