How to use cross-origin resources while complying with the security requirements of SharedArrayBuffer？

[Jveshi]

https://developer.mozilla.org/zh-CN/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer
According to the security requirements of SharedArrayBuffer, I added the following content to the server configuration. (The server is Apache)
It is equivalent to adding this http header to all requests.

<IFModule mod_headers.c>
	Header add Cross-Origin-Opener-Policy "same-origin"
	Header add Cross-Origin-Embedder-Policy "require-corp"
</IFModule>

At first, all resources were on the same site. This runs fine with no issues.

Later, I split the referenced open source code, data API, pictures, and video resources to another site.
I found that this will affect cross-domain resources. Delete these two http headers to use cross-domain resources. But this doesn't meet the security requirements of SharedArrayBuffer, so I can't use ffmpeg.wasm.

How to solve this problem?

[LostBeard]

I just did some testing by adding an <img> to my multithreaded ffmpeg.wasm test that has a src attribute pointing at another one of my test domains. It was blocked due to the headers you have also added to enable SharedArrayBuffer. After reading some more on MDN and testing I found the solution which is stated below.

From Cross-Origin-Embedder-Policy on MDN

require-corp

A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin. If a cross origin resource supports CORS, the crossorigin attribute or the Cross-Origin-Resource-Policy header must be used to load it without being blocked by COEP.

The servers that provide cross-origin resources to your restricted page need to add the below header. (Not the server serving your page with the 2 headers stated in your post.)

Cross-Origin-Resource-Policy "cross-origin"

[Jveshi]

It seems like this at present. Using SharedArrayBuffer will affect cross-domain resources due to same-origin restrictions. I can only use as few cross-domain resources as possible, and need to use workarounds, such as using base64 strings to transmit user avatars.