Setting the COOP and COEP headers on static hosting like GitHub Pages
Remember the Cross-Origin-Embedder-Policy (COEP) and the Cross-Origin-Opener-Policy (COOP) headers for making your site cross-origin isolated? If not, here's my colleague Eiji Kitamura's article Making your website "cross-origin isolated" using COOP and COEP . To be effective, they need to be sent as in the example below.
cross-origin-embedder-policy: credentialless
cross-origin-opener-policy: same-origin
Cross-origin isolated documents operate with fewer restrictions when using the following APIs:
SharedArrayBuffer
can be created and sent via a Window.postMessage()
or a MessagePort.postMessage()
call. Performance.now()
offers better precision. Performance.measureUserAgentSpecificMemory()
can be called.
Typically, sending non-default HTTP headers like COOP and COEP means controlling the server so you can configure it to send them. I recently learned that they are also honored if set through a service worker π€―! This means you can make apps on static hosting like on GitHub Pages cross-origin isolated!
- Blog post by stefnotch: Enabling COOP/COEP without touching the server
- Library by Guido Zuidhof: coi-serviceworker
- Demo: Are we cross-origin isolated?
One example where cross-origin isolating your site is needed is with SQLite Wasm when you want to use persistent storage with the origin private file system virtual file system called OPFS sqlite3_vfs. I'm glad to have this coi-serviceworker trick up my sleeve now, and you do, too!