Now CORP (Cross-Origin Resource Policy) and COEP (Cross-Origin Embedder Policy) are messing up the Web

[mrcolbyrussell]

0. Add the hypothes.is bookmarklet† to your bookmarks
1. Visit https://surma.dev/things/cost-of-convenience/
2. Activate the hypothes.is bookmarklet
3. Check your browser's network inspector to look for CSP headers on the original resource (/things/cost-of-convenience)
4. View the source of the page to look for CSP directives there

Results:

There is no CSP directive preventing the loading of embed.js.

Instead, there's a new header in town: Cross-Origin-Embedder-Policy, which can have a value require-corp. If present, this means that resources loaded by e.g. script need to send a Cross-Origin-Resource-Policy in the response. Servers unaware of this requirement will necessarily fail to include this header in the response, which means that attempts by browsers to use the resource requested will result in failure—at least in contexts where authors of the page where the request originates from have (stupidly) set up their server to send require-corp.

† Alternatively, you can just try to inject the script https://hypothes.is/embed.js yourself; the bookmarklet basically does this:

var s = document.createElement("script");
s.setAttribute("src","https://hypothes.is/embed.js");
document.body.appendChild(s);