Setting Cross-Origin headers for static sites

I’d like to create a demo using - npm which requires the Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy headers to be set. Is there anyway to configure these for a static Glitch site?

1 Like

Hi and welcome, @lrowe! Unfortunately, this isn’t possible for a static site, although I believe Glitch has a default CORS policy for some kind of files, and you can implement some kind of system to prevent <iframe>s

Unfortunately due to security concerns a number of advanced browser features are now gated behind the top level document being served with appropriate headers to opt into cross origin isolation. For example see: SharedArrayBuffer - JavaScript | MDN

It would be great if Glitch considered adding support for this so it can stay relevant for more advanced browser use cases.

Try out coi-serviceworker - npm - it uses a service worker to alter the headers of each request (which is somehow allowed by the spec :person_shrugging:)

Thanks. That’s probably the best option. Unfortunately I’ve found service workers in Chrome to be unreliable after a hard reload. 1446885 - chromium - An open-source project to help move the web forward. - Monorail

oh wow that’s bizarre behaviour indeed

Yea, I think that’s intended for service workers, I would be all for this feature as well, a certain wasm rebuild of a game I have runs a bit better when sharedarraybuffer can be utilized for “threads”, but it’s quite annoying with the header requirement.