Tentatively specified at https://wicg.github.io/cross-origin-embedder-policy/ (I'm now merging the spec to the HTML and the fetch specs). The feature can be enabled by the "cross-origin-embedder-policy" HTTP header, and when enabled, sub resource requests initiated by the document (or worker) requires the CORP check.
<rdar://problem/61799661>
Note that this is now part of the HTML standard: https://html.spec.whatwg.org/multipage/origin.html#coep …and Firefox and Chrome have both shipped support for it: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy#browser_compatibility
*** This bug has been marked as a duplicate of bug 228755 ***