Unfortunately, these headers are necessary to address fundamental security issues related to high-res time and Spectre-like timing attacks.
I do see that's what it says. But though I don't want to be too dismissive speaking about an area that is not my specialty (e.g. security), my layman's experience with this pattern of solution is that it usually is just "security theater". Flags and strings with no cryptographic basis aren't very powerful tools. Seems they force people to do things that are obfuscating, and almost certainly less secure than what they are replacing.
(By contrast: let's imagine you told me "we've implemented a way in the browser where your
<script> tag supplies a hash along with the library you intend to load...so you can check to make sure the bytes are trusted ones". Then I might feel security was getting tighter in some way that makes sense to me.)
I mentioned JSONP because it's sort of my go-to example when explaining this failure mode. Reading data cross-domains was blocked, when running scripts from remote URLs is not...and the script loading ability can't be turned off for the web to work. Hence the clear and obvious need to exchange data with another domain is jury-rigged as scripts that run code from another domain...just in order to poke the data they wanted in a place they can dig it out.
But a more recent/topical example to what this thread is about: I brought up with @AlonZakai that there is a rule prohibiting web workers from loading cross-origin, even if CORS is enabled for that origin. Yet I need to load threaded libs cross-origin. For today (at least) you can use URL.createObjectURL from a CORS-fetched Blob:
(Or, maybe that's considered a "hack" or a loophole that will be closed...? I don't know--and it seems none of us do. This relates to some of the communication problem hinted at in this thread. 🤐)
Maybe you guys know more than me, I dunno. But I'm still stuck at the "I don't get it" level...and feel a bit like a physicist confronted with a schematic for a big perpetual motion machine and asked to prove why it doesn't work. The burden of proof is on the person to show how they're breaking the laws of physics.
So let me try and be explicit about my needs, here:
I have a WASM library which uses threading/workers I want to host statically. I'm willing to put things on the using page to indicate my comfort with the thing I'm loading (hashes if need be). But I can't necessarily control every header on the statically hosted file. I'm already being asked to do CORS, and in the case of S3 that's doable. These other headers are not, at this time. So I ask you to please find a way to satisfy your security concerns that accepts the validity of this scenario...instead of making me load a multi-megabyte file with URL.createObjectURL.
Please take pity on me...as WASM is a rather large bet for my project 🙈. So I'm hoping this desire is considered worth accommodating! (Or... @NagyImre may agree with the sentiment of: if you want this technology to succeed... "help us, help you."