From 2b3087626fd7e170b77d019dc80afd19820c195c Mon Sep 17 00:00:00 2001
From: George Stagg <george.stagg@posit.co>
Date: Sat, 10 Feb 2024 08:37:38 -0600
Subject: [PATCH] Switch COEP header to use "credentialless"

With this, cross-origin requests for embedded content are sent without
credentials and the responses are allowed without an explicit permission
via the CORP header in the response. This fixes embedding certain types
of content in webR Shinylive apps, while still allowing the option of
using cross-origin isolation and SharedArrayBuffer with webR.
---
 scripts/build.ts       | 2 +-
 src/messageporthttp.ts | 2 +-
 src/shinylive-sw.ts    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/build.ts b/scripts/build.ts
index 84a598ff..604996fb 100644
--- a/scripts/build.ts
+++ b/scripts/build.ts
@@ -264,7 +264,7 @@ if (serve) {
                     proxyRes.headers = {
                       ...proxyRes.headers,
                       "cross-origin-opener-policy": "same-origin",
-                      "cross-origin-embedder-policy": "require-corp",
+                      "cross-origin-embedder-policy": "credentialless",
                       "cross-origin-resource-policy": "cross-origin",
                     };
                   }
diff --git a/src/messageporthttp.ts b/src/messageporthttp.ts
index 04cbd7bb..127e1751 100644
--- a/src/messageporthttp.ts
+++ b/src/messageporthttp.ts
@@ -259,7 +259,7 @@ export async function makeHttpuvRequest(
 
     const headers = Object.assign(
       {
-        "cross-origin-embedder-policy": "require-corp",
+        "cross-origin-embedder-policy": "credentialless",
         "cross-origin-resource-policy": "cross-origin",
       },
       Object.fromEntries(
diff --git a/src/shinylive-sw.ts b/src/shinylive-sw.ts
index b2f23d51..5002eccf 100644
--- a/src/shinylive-sw.ts
+++ b/src/shinylive-sw.ts
@@ -20,7 +20,7 @@ const version = "v6";
 // for cross-origin isolation. Required when using webR.
 function addCoiHeaders(resp: Response): Response {
   const headers = new Headers(resp.headers);
-  headers.set("Cross-Origin-Embedder-Policy", "require-corp");
+  headers.set("Cross-Origin-Embedder-Policy", "credentialless");
   headers.set("Cross-Origin-Resource-Policy", "cross-origin");
   headers.set("Cross-Origin-Opener-Policy", "same-origin");
   return new Response(resp.body, {