Reproduction steps: Have https://domain-a/index.html served with headers: ``` Cross-Origin-Opener-Policy same-origin Cross-Origin-Embedder-Policy require-corp ``` and content: ``` <script> const content = `import { foo } from "https://domain-b/module.js";`; const blob = new Blob([content], {type:"text/javascript"}); new Worker(URL.createObjectURL(blob), {type:"module"}); </script> ``` And have https://domain-b/module.js served with headers: ``` Access-Control-Allow-Origin * Access-Control-Expose-Headers * Cross-Origin-Resource-Policy: cross-origin ``` and whatever content: ``` console.log("hello"); ``` This is a valid combination of COOP/COEP vs. CORP headers, however running https://domain-a/index.html in safari 16.6 fails to load the module.js with the following console error: ``` [Error] Refused to load 'https://domain-b/module.js' worker because of Cross-Origin-Embedder-Policy. [Error] Worker load was blocked by Cross-Origin-Embedder-Policy [Error] Failed to load resource: Worker load was blocked by Cross-Origin-Embedder-Policy (module.js, line 0) [Error] Cannot load https://domain-b/module.js due to access control checks. [Error] Failed to load resource: Worker load was blocked by Cross-Origin-Embedder-Policy (module.js, line 0) [Error] Importing a module script failed. ``` Changing the content of index.html to something like: ``` <script src="https://domain-b/module.js"></script> ``` ...will load correctly, confirming the headers are correctly set, and the issue is related to Worker sandbox.
The workaround is to replace: ``` import { foo } from "https://domain-b/module.js" ``` by fetch + import function ``` const response = await fetch("https://domain-b/module.js"); const blob = await response.blob(); const { pipeline } = await import(URL.createObjectURL(blob)); ``` Considering fetch() is allowed to load a url while static import declaration is blocked, it seems to me the bug in safari has something to do with security for static import declarations.
<rdar://problem/116051307>