workbox icon indicating copy to clipboard operation
workbox copied to clipboard

Published 20 hours ago • verified publisher icon GoogleChrome

Cross-Origin-Resource-Policy "cross-origin" not present in workbox-strategies.dev.js

Open arleyandrada opened this issue 3 years ago • 2 comments

Unable to make my website "cross-origin isolated" using COOP and COEP. https://web.dev/coop-coep/

Resource: https://storage.googleapis.com/workbox-cdn/releases/XXXXX/workbox-strategies.dev.js

Error: To use this resource from a different origin, the server needs to specify a cross-origin resource policy in the response headers.

Missing response header: Cross-Origin-Resource-Policy: cross-origin

arleyandrada avatar Apr 03 '21 18:04 arleyandrada

Hello—I just tried to set that Cross-Origin-Resource-Policy: "cross-origin" header on a test Google Cloud Storage item (which is what we used for the "CDN" copy of Workbox), and unfortunately, it does not appear possible at the moment. If you attempt to set that header metadata, it ends up being served with an x-goog-meta- prefix in the response headers, and described in the documentation.

I'll follow-up with the Google Cloud Storage team to see if there are any plans to add official support for that header.

In the meantime, you have a couple of options:

  • Use Workbox's CLI to obtain a local copy of the Workbox libraries that would otherwise be loaded from the CDN, and serve those via your own web server, which would make them same-origin. This can be done by running npx workbox-cli copyLibraries . and then following the documentation for setting the modulePathPrefix in workbox-sw.

  • Instead of loading the Workbox libraries via workbox-sw, compile your own bundle consisting of the Workbox runtime plus the code you write yourself that uses Workbox. There's documentation describing that process as well, but it does require adding in a build step to your project, which could mean extra work if you're not already using a bundler.

jeffposnick avatar Apr 05 '21 19:04 jeffposnick

It's taking some time to figure out whether we will have a path forward for setting those headers on the Google Cloud Storage responses.

In the meantime, for Chrome 93-95, there's an origin trial of "Cross-Origin-Embedder-Policy: credentialless" that you could sign up for at https://developer.chrome.com/origintrials/#/view_trial/3036552048754556929

I believe that if you opt-in to that origin trial you should be able to use those advanced security guarantees without the Google Cloud Storage server response needing to include that header.

jeffposnick avatar Jul 15 '21 13:07 jeffposnick