phoenixframework / phoenix_live_reload

Provides live-reload functionality for Phoenix
MIT License
315 stars 90 forks source link

Reciprocating a `Cross-Origin-Embedder-Policy` (COEP) of `require-corp` #135

Open jbcaprell opened 1 year ago

jbcaprell commented 1 year ago

This is a little niche, but I think maybe this:

https://github.com/phoenixframework/phoenix_live_reload/blob/43b923b2d909b8af55e4b905fecab7aabef43879/lib/phoenix_live_reload/live_reloader.ex#L128

… should be expanded to:

    |> merge_resp_headers([
      {"content-type", "text/html; charset=utf-8"},
      {"cross-origin-embedder-policy", "require-corp"},
      {"cross-origin-resource-policy", "cross-origin"}
    ])

… in order to allow for the target to set a Cross-Origin-Embedder-Policy of require-corp.

You can, I’ll note, make this square in Chrome as of January by setting iframe_attrs: [credentialless: "true"] as part of a given Endpoint’s :live_reload configuration, but that’s only true in Chrome. This seems to me like the more back-of-the-fence fix.