search

whatwg / notifications

Notifications API Standard
https://notifications.spec.whatwg.org/
Other
137 stars 49 forks source link

Add crossOrigin to Notifications API #199

Open rostero1 opened 10 months ago

rostero1 commented 10 months ago

What problem are you trying to solve?

It's not possible to load an icon from a different origin with the following headers:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

What solutions exist today?

None

How would you solve it?

Support crossOrigin as an Notifications API option

Anything else?

No response

annevk commented 10 months ago

If the icon came with a Cross-Origin-Resource-Policy header it'd work. But I guess you want a way to fetch using CORS instead? Seems somewhat reasonable to support I suppose.

rostero1 commented 10 months ago

@annevk That did solve my issue, but I think the option would still be helpful if loading your assets through a CDN or some other resource that you cannot add the headers to.

In case someone finds this when trying to troubleshoot a similar issue:

My app loads with the following headers to allow for securely using SharedarrayBuffers.

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

The index.html loads the cross-origin react app via: crossorigin="".

Now all the images won't loaded through the React app won't load unless I explicitly add crossorgin="" to each image (which is not possible for the Notifications API) or update my cross-origin assets server to add Cross-Origin-Resource-Policy: cross-origin.

I'm a little confused about security:

I assume this is safe for SharedArrayBuffers, otherwise Chrome would through an error when I try to execute: const sab = new SharedArrayBuffer(1024);. Do you know if that's correct?

annevk commented 10 months ago

For the images the same header would work as for the icon. And yes, without COOP+COEP, there's no SAB constructor exposed.