Hey all,
We're introducing changes to the Shared Storage API in M130 to give you more flexibility when working with cross-origin worklet scripts.
What’s changing
We are removing the same-origin restriction for addModule() so you can now load worklet scripts from any origin. Cross-origin worklet scripts enable key use cases such as hosting worklet scripts on CDNs. When the worklet script is cross-origin to the invoking browsing context, the invoking context's origin is used as the data partition origin for accessing shared storage.
To match the new addModule() behaviour, and reduce potential confusion, the dataOrigin property will be added to the createWorklet() call to allow reading and writing to a shared storage data partition that is different from the invoking browsing context. This gives you more granular control over which origin's shared storage is accessed by each worklet, even when using cross-origin worklet scripts.
How it will change
As of M125, a third-party cross-origin script on a page is able to create cross-origin worklets without the need for cross-origin iframes by invoking createWorklet(url). Currently, createWorklet(url) uses the script URL (url) origin as the data partition origin, regardless of the invoking context.
In M130, to align with the new addModule() behaviour, createWorklet() will also use the invoking context as the default data partition origin. To continue using the script URL origin as the data partition origin, a new property dataOrigin is being introduced to allow you to explicitly set the data partition origin.
The new dataOrigin property accepts "script-origin", which sets the data partition origin as the script’s origin, and "context-origin" which sets the data partition origin as the invoking browsing context’s origin. In a future release we also plan to support custom data partition origins, where a worklet script can access shared storage data from an arbitrary origin on an opt-in basis.
When loading a cross-origin script with data origin set to "script-origin", the request for the script sent from the browser will include a "Sec-Shared-Storage-Data-Origin: <origin>" header. To enable this, the script must also include the "Shared-Storage-Cross-Origin-Worklet-Allowed: ?1" opt-in response header.
How to be ready
For forward-compatibility, if you’re already using createWorklet() with the script origin as the worklet's data partition origin, you can set the dataOrigin as below ahead of the release to ensure compatibility:
sharedStorage.createWorklet(scriptUrl, {dataOrigin: "script-origin"});
```Since createWorklet() allows the creation of a cross-origin data partition and the creation of multiple worklets, we encourage you to transition to createWorklet() over uses of addModule().
We will update the API walkthrough documentation to reflect these changes and provide further guidance on forward compatibility.