Skip to content

Media: Use Document-Isolation-Policy for cross-origin isolation#11098

Open
adamsilverstein wants to merge 12 commits intoWordPress:trunkfrom
adamsilverstein:backport-75991
Open

Media: Use Document-Isolation-Policy for cross-origin isolation#11098
adamsilverstein wants to merge 12 commits intoWordPress:trunkfrom
adamsilverstein:backport-75991

Conversation

@adamsilverstein
Copy link
Member

@adamsilverstein adamsilverstein commented Mar 1, 2026
edited
Loading

https://core.trac.wordpress.org/ticket/64766

Summary

Replaces Cross-Origin-Embedder-Policy / Cross-Origin-Opener-Policy (COEP/COOP) headers with Document-Isolation-Policy: isolate-and-credentialless for cross-origin isolation in the block editor.

DIP is a per-document isolation mechanism available in Chromium 137+ that avoids the breakage COEP/COOP caused for third-party plugins whose iframes lost credentials and DOM access.

What changed

  • DIP-only isolation: Cross-origin isolation is now exclusively provided via Document-Isolation-Policy. COEP/COOP headers are no longer sent.
  • Removed credentialless iframe logic: The credentialless attribute on iframes, iframe content observation, and embed preview filtering are all removed — DIP doesn't need them.
  • Removed __documentIsolationPolicy JS flag: No longer needed since there's only one code path.
  • Skips third-party editors: Cross-origin isolation is skipped when the current screen's editor is not the core block editor.
  • crossorigin="anonymous" still added to subresources via mutation observer.
  • wp_use_document_isolation_policy filter available for customization.
  • wp_get_chrome_major_version() helper added for Chrome version detection.

Browser support

  • Chrome 137+: Full client-side media processing with DIP
  • Other browsers: No cross-origin isolation headers sent; client-side media processing disabled. Support for non-DIP browsers will be handled separately in a plugin.

Test plan

  • Chromium 137+: Verify Document-Isolation-Policy: isolate-and-credentialless header in DevTools (no COEP/COOP headers)
  • Verify window.crossOriginIsolated === true in console
  • Firefox/Safari: Verify no isolation headers sent at all
  • Upload an image in block editor on Chrome 137+ — client-side processing works (wasm-vips loads)
  • Add a YouTube/Twitter embed — preview renders correctly
  • Load a post with a third-party editor — no isolation headers sent
  • php -l src/wp-includes/media.php passes
  • vendor/bin/phpcs src/wp-includes/media.php passes

See WordPress/gutenberg#75991

Trac ticket: https://core.trac.wordpress.org/ticket/64766

Plugin to enable COEP/COOP support for safari/firefox - https://github.com/adamsilverstein/client-side-media-experiments

@adamsilverstein
Media: Use Document-Isolation-Policy for COI
52839e5 
Replace COEP/COOP headers with Document-Isolation-Policy on
Chrome 137+ for cross-origin isolation. DIP provides
per-document isolation without breaking third-party page
builder iframes that rely on same-origin DOM access.

Non-DIP browsers skip isolation entirely since COEP/COOP
caused CORS failures for embeds and broke plugins like
Elementor.
@github-actions
Copy link

github-actions bot commented Mar 1, 2026
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props adamsilverstein, westonruter, swissspidy.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@github-actions
Copy link

github-actions bot commented Mar 1, 2026

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

@adamsilverstein
Disable client-side media processing on non-DIP browsers
064ee21 
Without Document-Isolation-Policy, SharedArrayBuffer is
unavailable and wasm-vips cannot run. Gate the entire
feature (JS flags + module registration) behind the DIP
check so browsers that lack support don't attempt to use
client-side processing at all.
@adamsilverstein
Add tests for cross-origin isolation functions
aa34c2d 
Cover wp_get_chrome_major_version(), the output buffer, and
wp_set_up_cross_origin_isolation() including DIP detection,
browser gating, filter overrides, and third-party editor
skip logic.
@adamsilverstein
Update for DIP-only approach
c936dcc 
Remove __documentIsolationPolicy JS flag and DIP early-return
from wp_set_client_side_media_processing_flag(). Update docblocks
and comments to reflect DIP-only cross-origin isolation.
@adamsilverstein adamsilverstein mentioned this pull request Mar 1, 2026
Open
7 tasks
adamsilverstein and others added 3 commits March 1, 2026 17:12
@adamsilverstein
Fix header tests to run in separate processes
602018a 
Tests that flush output buffers call header() which fails
when PHPUnit has already sent output. Adding
@runInSeparateProcess prevents "headers already sent" errors.
@adamsilverstein
Add __documentIsolationPolicy JS flag
291c608 
Sets window.__documentIsolationPolicy when DIP is active so
JS can distinguish DIP from COOP/COEP cross-origin isolation
and skip unnecessary iframe credentialless attributes.
@adamsilverstein @claude
Tests: Fix output buffer test to correctly capture callback-processed…
05dcc36 
… output

ob_get_flush() returns the original unprocessed buffer content, not the
callback-processed result. Use a nested buffer approach instead: start an
outer buffer, flush the inner buffer (triggering the callback), then get
the processed content from the outer buffer.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@adamsilverstein
Remove wp_use_document_isolation_policy filter
0bdef9d 
DIP headers are sent based on browser capability alone.
The existing wp_client_side_media_processing_enabled filter
already gates the entire feature higher in the call chain.
@adamsilverstein
Merge branch 'trunk' into backport-75991
7ff16b3
@adamsilverstein adamsilverstein self-assigned this Mar 2, 2026
@adamsilverstein adamsilverstein mentioned this pull request Mar 2, 2026
Closed
@adamsilverstein
Copy link
Member Author

adamsilverstein commented Mar 3, 2026

@swissspidy should we try to get this in before beta 3?

@westonruter
Copy link
Member

westonruter commented Mar 3, 2026

Per WordPress/gutenberg#75991 (comment):

  • Chrome 137+: Full client-side media processing with DIP

@adamsilverstein Is this Chrome or Chromium? Will it work in Edge? Is there a Can I Use feature for this?

@swissspidy
Copy link
Member

swissspidy commented Mar 3, 2026

Beta 3 would be good timing for sure. But yes need to check the Chromium question.

@adamsilverstein
Copy link
Member Author

adamsilverstein commented Mar 3, 2026
edited
Loading

Per WordPress/gutenberg#75991 (comment):

  • Chrome 137+: Full client-side media processing with DIP

@adamsilverstein Is this Chrome or Chromium? Will it work in Edge? Is there a Can I Use feature for this?

Chromestatus: https://chromestatus.com/feature/5141940204208128

Here is what Claude summarized:
DIP is a Chromium-level feature, so it works in Edge, Brave, Opera, and other Chromium browsers at version 137+. There isn't a Can I Use entry for it yet — the best reference is the Chrome Platform Status entry and the explainer on GitHub. The PR description should probably say "Chromium 137+" rather than "Chrome 137+" to be more accurate. (updating)

Despite WebKit saying Negative on the status page, that doesn't seem accurate. They seem undecided and have yet to offer an alternative. We can offer limited support for Firefox/Safari via a plugin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@westonruter westonruter Awaiting requested review from westonruter

@swissspidy swissspidy Awaiting requested review from swissspidy

Assignees

@adamsilverstein adamsilverstein

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@adamsilverstein @westonruter @swissspidy