Major browsers, like Google Chrome, support process isolation. This is a way to be able to use browser APIs previously made inaccessible as a result of the Spectre and Meltdown vulnerabilities.
In order to improve security (and enable process isolation) and get access to these APIs back, a COEP (Cross-Origin-Embedder-Policy) header is needed on responses from the server. This part is fine and can already be done (e.g. Nginx on a Droplet).
The issue lies in that this same header, requires a CORP header to be set on all assets/files loaded on that page. As you may know, only CORS is currently supported. This causes an incompatibility issue where Spaces cannot be used in combination with process isolation.
I'd suggest either adding a global CORP header just like CORS, or make it possible to add a CORP header via the file metadata of an object.