'Cross-Origin Embedder Policy and loading javscript

I have a website on server A with Cross-Origin Embedder Policy = RequireCorp header that fetches a script from server B (A and B are different origins and both owned by me).

  • There are multiple servers like A with different domains that need to fetch this script from B

I'm receiving the following error: net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 200

I see two ways to fix this:

  1. Add Cross-Origin-Resource-Policy cross-origin header to server B.

  2. Add crossorigin tag to this specific script tag

What are the differences between those two solutions?

corssame-origin-policycross-origin-embedder-policy


Solution 1:[1]

If you own both servers, the difference is probably not so big, because CORS is about preventing cross-origin requests from a malicious website to a victimized server.

With alternative #1, the Cross-Origin-Resource-Policy header must have the value cross-origin, which you may not want to set in general, but depending on the Origin header of the request.

With alternative #2, the Access-Control-Allow-Origin header could have a more restricted value like https://serverA.of.your.website. By this you could better restrict access without having to evaluate the Origin header of the request. But since you have multiple such servers A, that does not help you much.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

CORS : Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request [duplicate]

Blocked a frame with origin "http://localhost:8080" from accessing a frame with origin "http://pentaho5XXX.com"

What is the default value of Access-Control-Allow-Origin header?

Firefox extension request is interpreted as CORS

XMLHttpRequest cannot load XXX No 'Access-Control-Allow-Origin' header

CORS : Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request [duplicate]

How to allow CrossOrigin from all domains?

How to get a cross-origin resource sharing (CORS) post request working

HTTP response 401 Unauthorized to CORS preflight request on ADFS WIA endpoint

Failed to load resource: Preflight response is not successful

Issue: No 'Access-Control-Allow-Origin' header is present on the requested resource

How do I configure actix-web to accept CORS requests from any origin?

CORS issues: The 'Access-Control-Allow-Origin' header mustn't contain multiple values

Access to Image from origin 'null' has been blocked by CORS policy

Can/should HTML5 Web Workers use CORS for cross-origin?