Add crossOrigin to Notifications API

[rostero1]

What problem are you trying to solve?

It's not possible to load an icon from a different origin with the following headers:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

What solutions exist today?

None

How would you solve it?

Support crossOrigin as an Notifications API option

Anything else?

No response

[annevk]

If the icon came with a Cross-Origin-Resource-Policy header it'd work. But I guess you want a way to fetch using CORS instead? Seems somewhat reasonable to support I suppose.

[rostero1]

@annevk That did solve my issue, but I think the option would still be helpful if loading your assets through a CDN or some other resource that you cannot add the headers to.

In case someone finds this when trying to troubleshoot a similar issue:

My app loads with the following headers to allow for securely using SharedarrayBuffers.

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

The index.html loads the cross-origin react app via: crossorigin="".

Now all the images won't loaded through the React app won't load unless I explicitly add crossorgin="" to each image (which is not possible for the Notifications API) or update my cross-origin assets server to add Cross-Origin-Resource-Policy: cross-origin.

I'm a little confused about security:

I assume this is safe for SharedArrayBuffers, otherwise Chrome would through an error when I try to execute: const sab = new SharedArrayBuffer(1024);. Do you know if that's correct?

[annevk]

For the images the same header would work as for the icon. And yes, without COOP+COEP, there's no SAB constructor exposed.