Is it normal that Cross-Origin-Embedder-Policy is not enabled for assets

[leo91000]

I have a project that uses pdfjs and that include a huge worker file (compiled by vite, so on the same domain)

I have this nuxt-security policy :

      crossOriginEmbedderPolicy: {
        value: process.env.NODE_ENV === 'development' ? 'unsafe-none' : 'require-corp',
        route: '/**',
      },

The header is included as expected on normal pages.
Is it normal that the file itself doesn't respond with the cross origin embedder policy ?

Thanks !

[Baroshem]

Hey,

The security header rules are created for the root document of your Nuxt application. They are not set for all the assets and other resources you may have in your application.

I have no experience with pdf.js

Maybe you could use some H3 functions like setResponseHeaders to help you out with this issue -> https://www.jsdocs.io/package/h3#setResponseHeaders

[leo91000]

I found the solution. The problem is that vercel serve all assets from their CDN and nuxt have no control over headers. I had to update the vercel.json file to update COEP headers and it works fine

[Baroshem]

Awesome, glat that you have found an answer for that! :)