相关文章推荐
飘逸的登山鞋  ·  405 Method Not ...·  2 周前    · 
傲视众生的电脑桌  ·  Access-Control-Allow-O ...·  1 周前    · 
豁达的小马驹  ·  OSS设置跨域资源共享CORS_对象存储(O ...·  1 周前    · 
很拉风的啄木鸟  ·  跨站资源共享(CORS)漏洞的误配置及检测方 ...·  1 周前    · 
销魂的大白菜  ·  客户端漏洞篇之跨域资源共享(CORS)专题 ...·  1 周前    · 
狂野的风衣  ·  Pandas ...·  1 年前    · 
任性的手电筒  ·  InternetExplorer ...·  1 年前    · 
重感情的沙滩裤  ·  BIN,BCD,ASCII码分别对应的Hex ...·  1 年前    · 
宽容的苦咖啡  ·  google-api-php-client ...·  2 年前    · 
Code  ›  Permissions-Policy: cross-origin-isolated directive
access origin header cors
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/cross-origin-isolated
八块腹肌的草稿本
2 月前

Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

The HTTP Permissions-Policy header cross-origin-isolated directive controls whether the current document is allowed to use APIs that require cross-origin isolation .

Specifically, where a defined policy blocks use of this feature, the Window.crossOriginIsolated and WorkerGlobalScope.crossOriginIsolated properties will always return false , and the document will not benefit from reduced restrictions on the use of some APIs that are granted only to cross-origin isolated documents. This is true regardless of the Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy headers, and whether the document would have been cross-origin isolated had the permission been granted.

The APIs that require this permission include the use of SharedArrayBuffer objects and Performance.now() with unthrottled timers — see Window.crossOriginIsolated for information about other restricted APIs.

The permission can be used to maintain restrictions on access to the sensitive APIs unless they are actually needed by a cross-origin isolated document. Note that if the feature is not allowed, but it otherwise would have been cross-origin isolated, then in all other respects it is still cross-origin isolated. For example, it will only share a browsing context group with documents in the same origin.

<allowlist>

A list of one or more origins for which permission is granted to use the feature. See Permissions-Policy > Syntax for more details.

Default policy

The default allowlist for cross-origin-isolated is self .

Specifications

Specification Learn how to contribute

This page was last modified on by MDN contributors . View this page on GitHub Report a problem with this content

  1. HTTP
  2. Guides
  3. Overview of HTTP
  4. Evolution of HTTP
  5. A typical HTTP session
  6. HTTP messages
  7. Media types
    1. Common types
  8. Compression in HTTP
  9. HTTP caching
  10. HTTP authentication
  11. Using HTTP cookies
  12. Redirections in HTTP
  13. Conditional requests
  14. Range requests
  15. Client hints
  16. Compression Dictionary Transport
  17. Network Error Logging
  18. Content negotiation
    1. Default Accept values
  19. Browser detection using the UA string
  20. Connection management in HTTP/1.x
  21. Protocol upgrade mechanism
  22. Proxy servers and tunneling
    1. Proxy Auto-Configuration (PAC) file
  23. Security and privacy
    1. HTTP Observatory
    2. Practical implementation guides
    3. Permissions Policy
    4. Cross-Origin Resource Policy (CORP)
    5. Cross-Origin Resource Sharing (CORS)
    6. CORS errors
      1. Reason: CORS disabled
      2. Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'
      3. Reason: CORS header 'Access-Control-Allow-Origin' missing
      4. Reason: CORS header 'Origin' cannot be added
      5. Reason: CORS preflight channel did not succeed
      6. Reason: CORS request did not succeed
      7. Reason: CORS request external redirect not allowed
      8. Reason: CORS request not HTTP
      9. Reason: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*'
      10. Reason: Did not find method in CORS header 'Access-Control-Allow-Methods'
      11. Reason: expected 'true' in CORS header 'Access-Control-Allow-Credentials'
      12. Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'
      13. Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Methods'
      14. Reason: missing token 'xyz' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel
      15. Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed
    7. Content Security Policy (CSP)
      1. Errors and warnings
  24. Reference
  25. HTTP headers
    1. Accept
    2. Accept-CH
    3. Accept-Encoding
    4. Accept-Language
    5. Accept-Patch
    6. Accept-Post
    7. Accept-Ranges
    8. Access-Control-Allow-Credentials
    9. Access-Control-Allow-Headers
    10. Access-Control-Allow-Methods
    11. Access-Control-Allow-Origin
    12. Access-Control-Expose-Headers
    13. Access-Control-Max-Age
    14. Access-Control-Request-Headers
    15. Access-Control-Request-Method
    16. Age
    17. Allow
    18. Alt-Svc
    19. Alt-Used
    20. Attribution-Reporting-Eligible
    21. Attribution-Reporting-Register-Source
    22. Attribution-Reporting-Register-Trigger
    23. Authorization
    24. Available-Dictionary
    25. Cache-Control
    26. Clear-Site-Data
    27. Connection
    28. Content-Digest
    29. Content-Disposition
    30. Content-DPR
    31. Content-Encoding
    32. Content-Language
    33. Content-Length
    34. Content-Location
    35. Content-Range
    36. Content-Security-Policy
    37. Content-Security-Policy-Report-Only
    38. Content-Type
    39. Cookie
    40. Critical-CH
    41. Cross-Origin-Embedder-Policy
    42. Cross-Origin-Opener-Policy
    43. Cross-Origin-Resource-Policy
    44. Date
    45. Device-Memory
    46. Dictionary-ID
    47. Downlink
    48. Early-Data
    49. ETag
    50. Expect
    51. Expect-CT
    52. Expires
    53. Forwarded
    54. From
    55. Host
    56. If-Match
    57. If-Modified-Since
    58. If-None-Match
    59. If-Range
    60. If-Unmodified-Since
    61. Integrity-Policy
    62. Integrity-Policy-Report-Only
    63. Keep-Alive
    64. Last-Modified
    65. Link
    66. Location
    67. Max-Forwards
    68. NEL
    69. No-Vary-Search
    70. Observe-Browsing-Topics
    71. Origin
    72. Origin-Agent-Cluster
    73. Permissions-Policy
    74. Pragma
    75. Prefer
    76. Preference-Applied
    77. Priority
    78. Proxy-Authenticate
    79. Proxy-Authorization
    80. Range
    81. Referer
    82. Referrer-Policy
    83. Refresh
    84. Report-To
    85. Reporting-Endpoints
    86. Repr-Digest
    87. Retry-After
    88. RTT
    89. Save-Data
    90. Sec-Browsing-Topics
    91. Sec-CH-Prefers-Color-Scheme
    92. Sec-CH-Prefers-Reduced-Motion
    93. Sec-CH-Prefers-Reduced-Transparency
    94. Sec-CH-UA
    95. Sec-CH-UA-Arch
    96. Sec-CH-UA-Bitness
    97. Sec-CH-UA-Form-Factors
    98. Sec-CH-UA-Full-Version
    99. Sec-CH-UA-Full-Version-List
    100. Sec-CH-UA-Mobile
    101. Sec-CH-UA-Model
    102. Sec-CH-UA-Platform
    103. Sec-CH-UA-Platform-Version
    104. Sec-CH-UA-WoW64
    105. Sec-Fetch-Dest
    106. Sec-Fetch-Mode
    107. Sec-Fetch-Site
    108. Sec-Fetch-User
    109. Sec-GPC
    110. Sec-Purpose
    111. Sec-Speculation-Tags
    112. Sec-WebSocket-Accept
    113. Sec-WebSocket-Extensions
    114. Sec-WebSocket-Key
    115. Sec-WebSocket-Protocol
    116. Sec-WebSocket-Version
    117. Server
    118. Server-Timing
    119. Service-Worker
    120. Service-Worker-Allowed
    121. Service-Worker-Navigation-Preload
    122. Set-Cookie
    123. Set-Login
    124. SourceMap
    125. Speculation-Rules
    126. Strict-Transport-Security
    127. Supports-Loading-Mode
    128. TE
    129. Timing-Allow-Origin
    130. Tk
    131. Trailer
    132. Transfer-Encoding
    133. Upgrade
    134. Upgrade-Insecure-Requests
    135. Use-As-Dictionary
    136. User-Agent
    137. Vary
    138. Via
    139. Viewport-Width
    140. Want-Content-Digest
    141. Want-Repr-Digest
    142. Warning
    143. Width
    144. WWW-Authenticate
    145. X-Content-Type-Options
    146. X-DNS-Prefetch-Control
    147. X-Forwarded-For
    148. X-Forwarded-Host
    149. X-Forwarded-Proto
    150. X-Frame-Options
    151. X-Permitted-Cross-Domain-Policies
    152. X-Powered-By
    153. X-Robots-Tag
    154. X-XSS-Protection
  26. HTTP request methods
    1. CONNECT
    2. DELETE
    3. GET
    4. HEAD
    5. OPTIONS
    6. PATCH
    7. POST
    8. PUT
    9. TRACE
  27. HTTP response status codes
    1. 100 Continue
    2. 101 Switching Protocols
    3. 102 Processing
    4. 103 Early Hints
    5. 200 OK
    6. 201 Created
    7. 202 Accepted
    8. 203 Non-Authoritative Information
    9. 204 No Content
    10. 205 Reset Content
    11. 206 Partial Content
    12. 207 Multi-Status
    13. 208 Already Reported
    14. 226 IM Used
    15. 300 Multiple Choices
    16. 301 Moved Permanently
    17. 302 Found
    18. 303 See Other
    19. 304 Not Modified
    20. 307 Temporary Redirect
    21. 308 Permanent Redirect
    22. 400 Bad Request
    23. 401 Unauthorized
    24. 402 Payment Required
    25. 403 Forbidden
    26. 404 Not Found
    27. 405 Method Not Allowed
    28. 406 Not Acceptable
    29. 407 Proxy Authentication Required
    30. 408 Request Timeout
    31. 409 Conflict
    32. 410 Gone
    33. 411 Length Required
    34. 412 Precondition Failed
    35. 413 Content Too Large
    36. 414 URI Too Long
    37. 415 Unsupported Media Type
    38. 416 Range Not Satisfiable
    39. 417 Expectation Failed
    40. 418 I'm a teapot
    41. 421 Misdirected Request
    42. 422 Unprocessable Content
    43. 423 Locked
    44. 424 Failed Dependency
    45. 425 Too Early
    46. 426 Upgrade Required
    47. 428 Precondition Required
    48. 429 Too Many Requests
    49. 431 Request Header Fields Too Large
    50. 451 Unavailable For Legal Reasons
    51. 500 Internal Server Error
    52. 501 Not Implemented
    53. 502 Bad Gateway
    54. 503 Service Unavailable
    55. 504 Gateway Timeout
    56. 505 HTTP Version Not Supported
    57. 506 Variant Also Negotiates
    58. 507 Insufficient Storage
    59. 508 Loop Detected
    60. 510 Not Extended
    61. 511 Network Authentication Required
  28. CSP directives
    1. base-uri
    2. block-all-mixed-content
    3. child-src
    4. connect-src
    5. default-src
    6. fenced-frame-src
    7. font-src
    8. form-action
    9. frame-ancestors
    10. frame-src
    11. img-src
    12. manifest-src
    13. media-src
    14. object-src
    15. prefetch-src
    16. report-to
    17. report-uri
    18. require-trusted-types-for
    19. sandbox
    20. script-src
    21. script-src-attr
    22. script-src-elem
    23. style-src
    24. style-src-attr
    25. style-src-elem
    26. trusted-types
    27. upgrade-insecure-requests
    28. worker-src
  29. Permissions-Policy directives
    1. accelerometer
    2. ambient-light-sensor
    3. attribution-reporting
    4. autoplay
    5. bluetooth
    6. browsing-topics
    7. camera
    8. captured-surface-control
    9. compute-pressure
    10. cross-origin-isolated
    11. deferred-fetch
    12. deferred-fetch-minimal
    13. display-capture
    14. encrypted-media
    15. fullscreen
    16. gamepad
    17. geolocation
    18. gyroscope
    19. identity-credentials-get
    20. idle-detection
    21. language-detector
    22. local-fonts
    23. magnetometer
    24. microphone
    25. otp-credentials
    26. payment
    27. picture-in-picture
    28. publickey-credentials-create
    29. publickey-credentials-get
    30. screen-wake-lock
    31. serial
    32. speaker-selection
    33. storage-access
    34. summarizer
    35. translator
    36. web-share
    37. window-management
    38. xr-spatial-tracking
  30. HTTP resources and specifications
 
推荐文章
飘逸的登山鞋  ·  405 Method Not Allowed - HTTP | MDN
2 周前
傲视众生的电脑桌  ·  Access-Control-Allow-Origin - HTTP | MDN
1 周前
豁达的小马驹  ·  OSS设置跨域资源共享CORS_对象存储(OSS)-阿里云帮助中心
1 周前
很拉风的啄木鸟  ·  跨站资源共享(CORS)漏洞的误配置及检测方法 - 时光不改
1 周前
销魂的大白菜  ·  客户端漏洞篇之跨域资源共享(CORS)专题 - FreeBuf网络安全行业门户
1 周前
狂野的风衣  ·  Pandas 判断两列内容是否相同并将结果新建一列-阿里云开发者社区
1 年前
任性的手电筒  ·  InternetExplorer COMException: System.Runtime.InteropServices.COMexception: RPC服务器不可用-腾讯云开发者社区-腾讯云
1 年前
重感情的沙滩裤  ·  BIN,BCD,ASCII码分别对应的Hex(16进制)数_bin码_努力的小肥丸的博客-CSDN博客
1 年前
宽容的苦咖啡  ·  google-api-php-client calendar example-掘金
2 年前
今天看啥   ·   Py中国   ·   codingpro   ·   小百科   ·   link之家   ·   卧龙AI搜索
删除内容请联系邮箱 2879853325@qq.com
Code - 代码工具平台
© 2024 ~ 沪ICP备11025650号