search

vercel / analytics

Privacy-friendly, real-time traffic insights
https://vercel.com/analytics
Mozilla Public License 2.0
423 stars 26 forks source link

Add `Cross-Origin-Resource-Policy: cross-origin` header to CDN asset to support sites with COEPs #39

Closed fabianuribe closed 1 year ago

fabianuribe commented 1 year ago

Currently the Analytics debug script (script.debug.js) gets blocked on development environment when the site has a Cross-Origin Embedder Policy with a require-corp value. (e.g. Required for enabling APIs that require site isolation such as SharedArrayBuffer)

GET https://cdn.vercel-insights.com/v1/script.debug.js 
net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 200

The fix usually involves simply adding Cross-Origin-Resource-Policy: cross-origin header to the resource served from the CDN.

More information about COEPs, COOPs and CORPs: https://web.dev/coop-coep/

Note: Most likely low priority, given the script is proxied on production environment and hence served from the same origin.

https://github.com/vercel/analytics/blob/554bb2c6e0ee6e30cf6f576ccd820cbcc8a37af3/packages/web/src/generic.ts#L20-L23

tobiaslins commented 1 year ago

Hey @fabianuribe ,

Thanks for the heads up, the header is now set for the script :)