Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

How to use cross-origin resources while complying with the security requirements of SharedArrayBuffer? #576

Unanswered
Jveshi asked this question in Q&A
Discussion options

https://developer.mozilla.org/zh-CN/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer
According to the security requirements of SharedArrayBuffer, I added the following content to the server configuration. (The server is Apache)
It is equivalent to adding this http header to all requests.

<IFModule mod_headers.c>
	Header add Cross-Origin-Opener-Policy "same-origin"
	Header add Cross-Origin-Embedder-Policy "require-corp"
</IFModule>

At first, all resources were on the same site. This runs fine with no issues.

Later, I split the referenced open source code, data API, pictures, and video resources to another site.
I found that this will affect cross-domain resources. Delete these two http headers to use cross-domain resources. But this doesn't meet the security requirements of SharedArrayBuffer, so I can't use ffmpeg.wasm.

How to solve this problem?
You must be logged in to vote

Replies: 1 comment 1 reply

Comment options

I just did some testing by adding an <img> to my multithreaded ffmpeg.wasm test that has a src attribute pointing at another one of my test domains. It was blocked due to the headers you have also added to enable SharedArrayBuffer. After reading some more on MDN and testing I found the solution which is stated below.

From Cross-Origin-Embedder-Policy on MDN

require-corp

A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin. If a cross origin resource supports CORS, the crossorigin attribute or the Cross-Origin-Resource-Policy header must be used to load it without being blocked by COEP.

The servers that provide cross-origin resources to your restricted page need to add the below header. (Not the server serving your page with the 2 headers stated in your post.)

Cross-Origin-Resource-Policy "cross-origin"
You must be logged in to vote
1 reply
Comment options

It seems like this at present. Using SharedArrayBuffer will affect cross-domain resources due to same-origin restrictions. I can only use as few cross-domain resources as possible, and need to use workarounds, such as using base64 strings to transmit user avatars.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
2 participants

AltStyle によって変換されたページ (->オリジナル) /