If you recently implemented these new anti-Spectre http security headers and then get complains that your RSS feeds don't work any more - yeah, it's that, even though you probably would've never guessed a connection. Cross-Origin-Resource-Policy breaks RSS in Thunderbird.
Conversation
Because in this case RSS is loaded as a web resource, into a renderer context which is also a web resource (although locally hosted). An RSS renderer which would load it as a local file or which would set an appropriate context for rendering the contents wouldn't have the issue.
1
3
twitter.com/DanielMicay/st is another example of a similar issue. Chromium disabled the broken feature.
Using same-origin CORP on public, static assets has little value but it would be nice to set globally.
It also breaks hotlinking images, etc. by design and that's commonly done.
Quote Tweet
Replying to @hanno
Chromium had a similar issue where it didn't set the origin properly for range requests from the internal PDF viewer. It caused breakage with SameSite cookies too:
bugs.chromium.org/p/chromium/iss
bugs.chromium.org/p/chromium/iss
Incremental and partial PDF loading were disabled as a workaround.