TechQA.

Can COOP/COEP headers be set with meta tags (http-equiv)?

2.3k views Asked by At

Can the Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy headers be set with <meta> tags, or can they only be set with actual headers? If not, is there a list of headers which can be set with meta tags?

The following example logs crossOriginIsolated: false to the console.

<!DOCTYPE html>
<html>
<head>
  <meta http-equiv="Cross-Origin-Embedder-Policy" content="require-corp">
  <meta http-equiv="Cross-Origin-Opener-Policy" content="same-origin">
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width">
  <title>COOP/COEP header test</title>
</head>
<body>
  <script>console.log("crossOriginIsolated:", self.crossOriginIsolated)</script>
</body>
</html>

If I remove those http-equiv meta tags and serve the file with actual HTTP headers, then it logs crossOriginIsolated: true (in both Chrome and Firefox). So it seems like I can't set these headers with meta tags?

html http-headers cross-origin-opener-policy cross-origin-embedder-policy
Original Q&A
1

There are 1 answers

3
Tirondzo On BEST ANSWER

No, they can't.

According to this spec, http-equiv supports only a few HTTP headers. https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv.

That means these headers can be set only as HTTP ("actual") headers by a server.
Supporting them in HTML would be a security bug.

Related Questions in HTML

Related Questions in HTTP-HEADERS

Related Questions in CROSS-ORIGIN-OPENER-POLICY

Related Questions in CROSS-ORIGIN-EMBEDDER-POLICY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions