The
crossOriginIsolated
read-only property of the
Window
interface returns a boolean value that indicates whether the document is cross-origin isolated.
A cross-origin isolated document only shares its
browsing context group
with same-origin documents in popups and navigations, and resources (both same-origin and cross-origin) that the document has opted into using via
CORS
(and
COEP
for
<iframe>
).
The relationship between a cross-origin opener of the document or any cross-origin popups that it opens are severed.
The document may also be hosted in a separate OS process alongside other documents with which it can communicate by operating on shared memory.
This mitigates the risk of side-channel attacks and cross-origin attacks referred to as
XS-Leaks
.
Cross-origin isolated documents operate with fewer restrictions when using the following APIs:
SharedArrayBuffer
can be created and sent via a
Window.postMessage()
or a
MessagePort.postMessage()
call.
Performance.now()
offers better precision.
Performance.measureUserAgentSpecificMemory()
can be called.
A document will be cross-origin isolated if it is returned with an HTTP response that includes the headers:
Cross-Origin-Opener-Policy
header with the directive
same-origin
.
Cross-Origin-Embedder-Policy
header with the directive
require-corp
or
credentialless
.
Access to the APIs must also be allowed by the
Permissions-Policy
cross-origin-isolated
.
Otherwise
crossOriginIsolated
property will return
false
, and the document will not be able to use the APIs listed above with reduced restrictions.
Set the
Cross-Origin-Embedder-Policy
HTTP header to
require-corp
or
credentialless
:
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Embedder-Policy: credentialless
The cross-origin-isolated directive of the Permissions-Policy header must not block access to the feature.
Note that the default allowlist of the directive is self, so the permission will be granted by default to cross-origin isolated documents.
