Media: Use Document-Isolation-Policy for cross-origin isolation.

Replace COEP/COOP headers with Document-Isolation-Policy (DIP) for cross-origin isolation in the block editor. DIP enables sharedBufferArray while avoiding the breakage COEP/COOP caused for third-party plugins whose iframes lost credentials and DOM access. Non supporting browsers have the client-side media feature disabled by default - falling back to the existing server side processing -  to avoid a degraded editor experience.

Developed in WordPress/wordpress-develop#11098

Props adamsilverstein, westonruter, manhar, swissspidy, mukesh27.
Fixes #64766.



Built from https://develop.svn.wordpress.org/trunk@61844


git-svn-id: http://core.svn.wordpress.org/trunk@61131 1a063a9b-81f0-0310-95a4-ce76da25c4cd

Author: adamsilverstein

wp-includes/media.php

@@ -6393,6 +6393,12 @@ function wp_set_client_side_media_processing_flag(): void {
 
 	wp_add_inline_script( 'wp-block-editor', 'window.__clientSideMediaProcessing = true', 'before' );
 
+	$chromium_version = wp_get_chromium_major_version();
+
+	if ( null !== $chromium_version && $chromium_version >= 137 ) {
+		wp_add_inline_script( 'wp-block-editor', 'window.__documentIsolationPolicy = true;', 'before' );
+	}
+
 	/*
 	 * Register the @wordpress/vips/worker script module as a dynamic dependency
 	 * of the wp-upload-media classic script. This ensures it is included in the
@@ -6405,15 +6411,33 @@ function wp_set_client_side_media_processing_flag(): void {
 	);
 }
 
+/**
+ * Returns the major Chrome/Chromium version from the current request's User-Agent.
+ *
+ * Matches all Chromium-based browsers (Chrome, Edge, Opera, Brave).
+ *
+ * @since 7.0.0
+ *
+ * @return int|null The major Chrome version, or null if not a Chromium browser.
+ */
+function wp_get_chromium_major_version(): ?int {
+	if ( empty( $_SERVER['HTTP_USER_AGENT'] ) ) {
+		return null;
+	}
+	if ( preg_match( '#Chrome/(\d+)#', $_SERVER['HTTP_USER_AGENT'], $matches ) ) {
+		return (int) $matches[1];
+	}
+	return null;
+}
+
 /**
  * Enables cross-origin isolation in the block editor.
  *
  * Required for enabling SharedArrayBuffer for WebAssembly-based
- * media processing in the editor.
+ * media processing in the editor. Uses Document-Isolation-Policy
+ * on supported browsers (Chromium 137+).
  *
  * @since 7.0.0
- *
- * @link https://web.dev/coop-coep/
  */
 function wp_set_up_cross_origin_isolation(): void {
 	if ( ! wp_is_client_side_media_processing_enabled() ) {
@@ -6439,26 +6463,22 @@ function wp_set_up_cross_origin_isolation(): void {
 }
 
 /**
- * Starts an output buffer to send cross-origin isolation headers.
+ * Sends the Document-Isolation-Policy header for cross-origin isolation.
  *
- * Sends headers and uses an output buffer to add crossorigin="anonymous"
- * attributes where needed.
+ * Uses an output buffer to add crossorigin="anonymous" where needed.
  *
  * @since 7.0.0
- *
- * @link https://web.dev/coop-coep/
- *
- * @global bool $is_safari
  */
 function wp_start_cross_origin_isolation_output_buffer(): void {
-	global $is_safari;
+	$chromium_version = wp_get_chromium_major_version();
 
-	$coep = $is_safari ? 'require-corp' : 'credentialless';
+	if ( null === $chromium_version || $chromium_version < 137 ) {
+		return;
+	}
 
 	ob_start(
-		static function ( string $output ) use ( $coep ): string {
-			header( 'Cross-Origin-Opener-Policy: same-origin' );
-			header( "Cross-Origin-Embedder-Policy: $coep" );
+		static function ( string $output ): string {
+			header( 'Document-Isolation-Policy: isolate-and-credentialless' );
 
 			return wp_add_crossorigin_attributes( $output );
 		}

wp-includes/version.php

@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '7.0-beta2-61843';
+$wp_version = '7.0-beta2-61844';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.