Typeform not loading because of cross-origin isolation.

[jeton-th]

Description

In a ReactJS application, I'm using a library that requires cross-origin isolation in order to use the SharedArrayBuffer feature. These are the headers I need to add:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

The problem

The embedded Typeform is not loading anymore:

This is the error from the network activity tab in developer tools related to the Typeform resource:

To use this resource from a different origin, the server needs to specify a cross-origin resource policy in the response headers:
Cross-Origin-Resource-Policy: same-site Choose this option if the resource and the document are served from the same site.
Cross-Origin-Resource-Policy: cross-origin Only choose this option if an arbitrary website including this resource does not impose a security risk.

[mathio]

Hello @jeton-th I will talk to our security team to figure out how adding those headers would affect other customers and if we can do it.

[mathio]

The change was approved by security, I will update you here when we add the header.

[mathio]

Update: This change is not as straightforward as we anticipated. Assets loaded by typeform (such as images) will need to send those headers as well, otherwise they will not load.

[maxprilutskiy]

Update: this will require some infra changes on our side, so please do not expect support for this case in the nearest future. We will be posting updates, if any, in this issue.

[mathio]

Hello @jeton-th there were some recent changes to out CSP headers. Can you please see if this resolved the issue in your application?

[jeton-th]

Hello @jeton-th there were some recent changes to out CSP headers. Can you please see if this resolved the issue in your application?

No, the issue remains.

[github-actions]

This issue is stale because it has been open for 30 days with no activity.

[mathio]

Hi @jeton-th, we're going to close out this issue for the time being.

As you know, we've spoken internally about solving this and whilst we've tried to make headway, the solution is more complex than we'd initially thought.

We appreciate it's something that would improve your implementation of an embed and we've logged the feedback so that we can continue to assess how to prioritize an improvement.