Cross-Origin-Resource-Policy header

Hi! I have a single page application using okta-auth-js and okta-react with the implicit flow.

I have a feature in development that depends on being able to use SharedArrayBuffer. In order to enable this, I have set the Cross-Origin-Opener-Policy header to same-origin and the Cross-Origin-Embedder-Policy header to require-corp on my index.html document.

When, using Chrome, the token expires after an hour, I see the following message in dev tools:

Because your site has the Cross-Origin Embedder Policy (COEP) enabled, each resource must specify a suitable Cross-Origin Resource Policy (CORP). This behavior prevents a document from loading cross-origin resources which don’t explicitly grant permission to be loaded.

To solve this, add the following to the resource’ response header:

  • Cross-Origin-Resource-Policy: same-site if the resource and your site are served from the same site.
  • Cross-Origin-Resource-Policy: cross-origin if the resource is served from another location than your website. :warning:If you set this header, any website can embed this resource.

I don’t see any options in the Okta admin to add this Cross-Origin-Resource-Policy header. What is the best way to enable SharedArrayBuffer with an Okta application?

Thank you in advance!

Minimal repository demonstrating the issue:

I have a similar case where the browser client is using pThreads and that also requires COEP. When will Okta add support for the new security headers? See COEP COOP CORP CORS CORB - CRAP that's a lot of new stuff!

Note from the article, in the short term, Okta can respond to a Cross-Origin-Embedder-Policy request header with a standard CORS Access-Control-Allow-Origin response header or a CORP response header.