Deploying Godot 4 HTML exports with cross-origin isolation
To prevent vulnerabilities, sites using the
SharedArrayBuffer feature need to fulfill some security requirements:
- They must be in a Secure Context, which is mostly achieved by serving the site over HTTPS.
- They need to set a suitable Cross-Origin-Opener-Policy (COOP) and Cross-Origin-Embedder-Policy (COEP) header resulting in “Cross-Origin Isolation”.
The standard values for these are
require-corprespectively, but Chrome supports
credentiallessas an embedder policy as well.
Let’s look at how we can fulfill these requirements when deploying our games to itch.io and Netlify.
itch.io has experimental support for SharedArrayBuffers.
All we have to do is tick the “SharedArrayBuffer support” checkbox in the
Embed Options > Frame Options section of our game’s settings page.
Setting the standard Cross-Origin Isolation headers breaks some features that interact with other domains.
itch.io uses Chrome’s
credentialless option for the COEP header which lifts some of the restrictions imposed by the
Firefox does not implement
credentialless at the time of writing, meaning Godot 4 HTML exports deployed on itch.io will only run in Chrome-based browsers.
In contrast to itch.io and other simple hosting options like GitHub Pages, Netlify allows setting custom headers using a
_headers file or the
netlify.toml configuration file.
Here’s the entry in
netlify.toml for setting the required cross origin policy headers to run both in Chrome and Firefox:
for = "/*"
Cross-Origin-Opener-Policy = "same-origin"
Cross-Origin-Embedder-Policy = "require-corp"
It has only been about half a year since Chrome shipped
credentialless support, and Firefox is testing it using an Origin Trial.
Going forward, it’s likely we’ll see
credentialless as the standard way to enable SharedArrayBuffers, resolving the itch.io Firefox incompatibility.
I’d love to deploy my games to GitHub Pages as well. GitHub pages does not allow setting custom headers, but there is a feature request for COOP/COEP with a potential workaround that uses a service worker to set the required headers.