lila icon indicating copy to clipboard operation
lila copied to clipboard

Published 20 hours ago verified publisher icon lichess-org

HCE/NNUE conflicts with Twitch/YouTube embeds, custom backgrounds and userstyles

Open niklasf opened this issue 4 years ago • 5 comments

This applies since Chromium 83, and other browsers soon as well:

stockfish.wasm requires Cross-Origin-Embedder-Policy: require-corp, and therefore Cross-Origin-Resource-Policy: cross-origin on all embedded resources.

  • [x] ~Options for Twitch:~

    • ~Twitch needs to forfeit site isolation, otherwise stockfish.wasm can't run in the same context. Get Twitch to place Cross-Origin-Resource-Policy: cross-origin on the relevant resources. Seems unlikely to happen.~
    • Don't see another option. Only one of Twitch or stockfish.wasm can live in the same context.

  • [ ] Options for background images:

    • Get image hosts to place Cross-Origin-Resource-Policy: cross-origin.
    • Host our own proxy or upload for images, which adds that header.
    • No custom background images on analysis pages.

  • [x] For local development:

    • Works fine when not using a seperate asset domain, which is the default setup.
    • When using a seperate asset domain and nginx, add Cross-Origin-Resource-Policy: cross-origin to assets and also on lila-ws (https://github.com/ornicar/lila-ws/issues/71).

  • [x] For userstyles/scripts:

    • Host assets with Cross-Origin-Resource-Policy: cross-origin.
    • Use Data URLs

(The reason is that stockfish.wasm would have the capability to break site isolation with timing based attacks. So third-party resources have to explicitly opt-out of site isolation by adding the header.)

niklasf avatar May 23 '20 19:05 niklasf

We're trying to embed the Twitch player into a site that also uses modern WebAssembly features. Therefore our page must be served with the following HTTP headers:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

This breaks the Twitch embed in Chrome >= 83. Would it be possible for you to serve the Twitch player with

 Cross-Origin-Resource-Policy: cross-origin

as suggested in the attached screenshot? A minimal test case is hosted here: https://backscattering.de/twitch-embed/

image

niklasf avatar Jun 18 '20 15:06 niklasf

(Somewhat late) update (since it just came up again): It does work in (recent versions of) Chrome now (and other browsers based on it like the new Microsoft Edge) due to the somewhat new Cross-Origin-Embedder-Policy: credentialless header. Other browsers don't yet support it though.

benediktwerner avatar Mar 22 '22 22:03 benediktwerner

I found a different solution to the problem. I basically messed around with some settings, I changed the background to light, and then back to dark, and all of a sudden, I was able to see the background images etc. Might work for someone.

mmuneebuk avatar Apr 12 '22 14:04 mmuneebuk

Status in Chrome: https://chromestatus.com/feature/4918234241302528 Status in Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1731778

niklasf avatar May 01 '22 08:05 niklasf

Applied for Origin Trail in Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1789300

niklasf avatar Sep 05 '22 19:09 niklasf