Should we add the ''crossorigin'' attribute to the **script**, **link**
and **img** tags of the template files ?
Without this attribute the files are blocked with Cross-Origin Opener
Policy.
--
Ticket URL: <https://code.djangoproject.com/ticket/33803>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
* cc: Adam Johnson (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/33803#comment:1>
* status: new => closed
* resolution: => invalid
Comment:
No, the answer here is not to change Django. When setting COEP to require-
corp, you have two options to allow cross-origin assets to work. *Either*
you set the `crossorigin` attribute, or the assets are served with a CORP
header declaring cross-origin loading to be allowed. Thus, you should
change your static asset hosting to add this CORP header. I blogged about
these headers here: https://adamj.eu/tech/2021/05/01/how-to-set-coep-coop-
corp-security-headers-in-django/
Also with HTTP 2+ it's more efficient to serve your assets from the same
domain, as they can be served on a single connection. Most sites should be
doing this. Whitenoise is a popular solution for doing so with minimal
configuration: https://whitenoise.evans.io/en/stable/ .
--
Ticket URL: <https://code.djangoproject.com/ticket/33803#comment:2>
Comment (by fcrozatier):
Replying to [comment:2 Adam Johnson]:
Thank you.
> No, the answer here is not to change Django. When setting COEP to
require-corp, you have two options to allow cross-origin assets to work.
*Either* you set the `crossorigin` attribute, or the assets are served
with a CORP header declaring cross-origin loading to be allowed. Thus, you
should change your static asset hosting to add this CORP header. I blogged
about these headers here: https://adamj.eu/tech/2021/05/01/how-to-set-
coep-coop-corp-security-headers-in-django/
>
> Also with HTTP 2+ it's more efficient to serve your assets from the same
domain, as they can be served on a single connection. Most sites should be
doing this. Whitenoise is a popular solution for doing so with minimal
configuration: https://whitenoise.evans.io/en/stable/ .
--
Ticket URL: <https://code.djangoproject.com/ticket/33803#comment:3>