Window: crossOriginIsolated property

The crossOriginIsolated read-only property of the Window interface returns a boolean value that indicates whether the document is cross-origin isolated.

A cross-origin isolated document only shares its browsing context group with same-origin documents in popups and navigations, and resources (both same-origin and cross-origin) that the document has opted into using via CORS (and COEP for <iframe>). The relationship between a cross-origin opener of the document or any cross-origin popups that it opens are severed. The document may also be hosted in a separate OS process alongside other documents with which it can communicate by operating on shared memory. This mitigates the risk of side-channel attacks and cross-origin attacks referred to as XS-Leaks.

Cross-origin isolated documents operate with fewer restrictions when using the following APIs:

A document will be cross-origin isolated if it is returned with an HTTP response that includes the headers:

Access to the APIs must also be allowed by the Permissions-Policy cross-origin-isolated. Otherwise crossOriginIsolated property will return false, and the document will not be able to use the APIs listed above with reduced restrictions.

Value

A boolean value.

Examples

Cross-origin isolating a document

To cross-origin isolate a document:

  • Set the Cross-Origin-Opener-Policy HTTP header to same-origin:

    http
    Cross-Origin-Opener-Policy: same-origin
    
  • Set the Cross-Origin-Embedder-Policy HTTP header to require-corp or credentialless:

    http
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Embedder-Policy: credentialless
    
  • The cross-origin-isolated directive of the Permissions-Policy header must not block access to the feature. Note that the default allowlist of the directive is self, so the permission will be granted by default to cross-origin isolated documents.

Checking if the document is cross-origin isolated

js
const myWorker = new Worker("worker.js");

if (window.crossOriginIsolated) {
  const buffer = new SharedArrayBuffer(16);
  myWorker.postMessage(buffer);
} else {
  const buffer = new ArrayBuffer(16);
  myWorker.postMessage(buffer);
}

Specifications

Specification
HTML Standard
# dom-crossoriginisolated-dev

Browser compatibility

Report problems with this compatibility data on GitHub
desktopmobileserver
Chrome
Edge
Firefox
Opera
Safari
Chrome Android
Firefox for Android
Opera Android
Safari on iOS
Samsung Internet
WebView Android
WebView on iOS
Deno
Node.js
crossOriginIsolated

Legend

Tip: you can click/tap on a cell for more information.

Full support
Full support
No support
No support

See also