From bd66aa1c38eaf79ddb1f83821d76270db46fe1c9 Mon Sep 17 00:00:00 2001
From: Travis Ralston <travisr@matrix.org>
Date: Tue, 2 Aug 2022 17:30:14 -0600
Subject: [PATCH] Add CORP headers to media repo

MSC: https://github.com/matrix-org/matrix-spec-proposals/pull/3828
---
 changelogs/client_server/newsfragments/1197.feature | 1 +
 content/client-server-api/modules/content_repo.md   | 6 ++++++
 2 files changed, 7 insertions(+)
 create mode 100644 changelogs/client_server/newsfragments/1197.feature

diff --git a/changelogs/client_server/newsfragments/1197.feature b/changelogs/client_server/newsfragments/1197.feature
new file mode 100644
index 00000000..d4ea9b42
--- /dev/null
+++ b/changelogs/client_server/newsfragments/1197.feature
@@ -0,0 +1 @@
+Add `Cross-Origin-Resource-Policy` (CORP) headers to media repository, as per [MSC3828](https://github.com/matrix-org/matrix-spec-proposals/pull/3828).
\ No newline at end of file
diff --git a/content/client-server-api/modules/content_repo.md b/content/client-server-api/modules/content_repo.md
index 467065a5..86ac98a7 100644
--- a/content/client-server-api/modules/content_repo.md
+++ b/content/client-server-api/modules/content_repo.md
@@ -19,6 +19,12 @@ When serving content, the server SHOULD provide a
 `Content-Security-Policy` header. The recommended policy is
 `sandbox; default-src 'none'; script-src 'none'; plugin-types application/pdf; style-src 'unsafe-inline'; object-src 'self';`.
 
+{{% added-in v="1.4" %}}
+
+The server SHOULD additionally provide `Cross-Origin-Resource-Policy: cross-origin`
+when serving content to allow (web) clients access to APIs which interact
+with the media repository, such as `SharedArrayBuffer`.
+
 #### Matrix Content (MXC) URIs
 
 Content locations are represented as Matrix Content (MXC) URIs. They