Add a new HTTP header that prevents documents and workers from loading non-same-origin requests unless explicitly allowed via CORS or CORP. Combined with Cross-Origin-Opener-Policy (COOP), this feature allows documents (and workers) to use powerful APIs such as SharedArrayBuffer.
Loading cross-origin no-cors resources is bad for security. Currently only renderer-based protection prevents web developers from accessing the contents of such resources, but Spectre-like attacks will allow malicious web developers to access any memory in the renderer process. We will be able to allow web developers to use APIs which can be abused for such attacks. One such example is SharedArrayBuffer.
Docs: https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit
Explainers: https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit