Add worker script explanation to COOP-COEP article

[agektmr]

This pull request updates https://web.dev/cross-origin-isolation-guide/ and https://web.dev/coop-coep/ to better explain how to opt-in to cross-origin isolation when worker scripts are used.
cc: @ArthurSonzogni

[chrome-devrel-review-bot]

Hello! This is an automated review by our custom reviewbot. It updates automatically when code or GitHub comments in this pull request are created or updated.

Requested changes

If there are any common problems with the content files you created or modified, they will be listed here.

src/site/content/en/blog/coop-coep/index.md

• This file passed all of our automated Markdown audits.

src/site/content/en/secure/cross-origin-isolation-guide/index.md

• This file passed all of our automated Markdown audits.

[netlify]

✅ Deploy Preview for web-dev-staging ready!

Name	Link
🔨 Latest commit	b0c3d8d
🔍 Latest deploy log	https://app.netlify.com/sites/web-dev-staging/deploys/62b46ecfc57bc00008c80ccc
😎 Deploy Preview	https://deploy-preview-8206--web-dev-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[ArthurSonzogni]

Nice!
Here are some comments below:

[agektmr]

@ArthurSonzogni Please approve if the current changes look good

[alexandrascript]

LGTM % small updates

[ArthurSonzogni]

Thanks! LGTM % removing the sentence about CORP and workers.

[ArthurSonzogni]

Setting CORP is needed only for cross-origin iframe. Not really useful for workers. They are always same-origin.
So, I would remove the "and worker scripts".

COEP on the other site is needed or useful for every environments created by the document. You moved the section later. This is discussed separately, which works.

[agektmr]

You can only spawn a same-origin worker at the first level, but can load a cross-origin script via that worker if you use importScripts. In that case, you have to use CORP: cross-origin header. You can see it working at https://cross-origin-isolation.glitch.me/?coep=require-corp&

[agektmr]

Hmm, this contradicts 🤔
https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers#spawning_subworkers

Workers may spawn more workers if they wish. So-called sub-workers must be hosted within the same origin as the parent page.

[ArthurSonzogni]

I understood "worker script" as the "worker's main response".

This is right worker can then use fetch/importScript to load any resources and those resources are subject to CORP checks. Yes, you can nested DedicatedWorker.

[agektmr]

In that case, how about phrasing the line like this:

For iframes and cross-origin worker scripts loaded via `importScripts`, set the `Cross-Origin-Resource-Policy:

[ArthurSonzogni]

This feels weird, because it would mean this applies exclusively to those two resources, which is wrong; it applies to every resources.
Also, I feel weird putting on the same level the main resources (the iframe's response) and a subresource (an external script loaded from the worker).

Maybe you can discuss about all subresources, indepedently of the context (window or worker), and give some examples of subresources?

• From a COEP:require-corp document or a COEP:require-corp worker, cross-origin subresources loaded without CORS must set Cross-Origin-Resource-Policy: cross-origin header to opt-in being embedded. For instance, this applies to: <script>, importScript, <link>, <video>, <iframe>, etc...

[agektmr]

That's a great idea. I'll create a pull request so we can continue the discussion there.

[agektmr]

#8239