[wp-trac] [WordPress Trac] #64766: Media: Use Document-Isolation-Policy for cross-origin isolation on Chrome 137+.
WordPress Trac
noreply at wordpress.org
Sun Mar 1 06:41:55 UTC 2026
#64766: Media: Use Document-Isolation-Policy for cross-origin isolation on Chrome
137+.
-----------------------------+-----------------------
Reporter: adamsilverstein | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 7.0
Component: Editor | Version: trunk
Severity: normal | Keywords: has-patch
Focuses: |
-----------------------------+-----------------------
Replace COEP/COOP headers with the new Document-Isolation-Policy header on
Chrome 137+ for cross-origin isolation. DIP provides per-document
isolation without breaking third-party page builder iframes (e.g.
Elementor). Non-DIP browsers skip cross-origin isolation entirely, since
COEP/COOP caused CORS failures for embeds.
* Add `wp_get_chrome_major_version()` helper to detect Chromium browser
version.
* Add `wp_use_document_isolation_policy` filter for customization.
* Set `window.__documentIsolationPolicy` JS flag when DIP is active.
* Skip cross-origin isolation when a third-party editor action is
detected.
* Send `Document-Isolation-Policy: isolate-and-credentialless` header
instead of COEP/COOP.
* Skip the output buffer entirely on non-DIP browsers to prevent CORS
failures.
See https://github.com/WordPress/gutenberg/pull/75991.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64766>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list