WorkerGlobalScope: crossOriginIsolated property
Note: This feature is only available in Web Workers.
The crossOriginIsolated
read-only property of the WorkerGlobalScope
interface returns a boolean value that indicates whether the document is cross-origin isolated.
A cross-origin isolated document only shares its browsing context group with same-origin documents in popups and navigations, and resources (both same-origin and cross-origin) that the document has opted into using via CORS (and COEP for <iframe>
).
The relationship between a cross-origin opener of the document or any cross-origin popups that it opens are severed.
The document may also be hosted in a separate OS process alongside other documents with which it can communicate by operating on shared memory.
This mitigates the risk of side-channel attacks and cross-origin attacks referred to as XS-Leaks.
Cross-origin isolated documents operate with fewer restrictions when using the following APIs:
SharedArrayBuffer
can be created and sent via aDedicatedWorkerGlobalScope.postMessage()
or aMessagePort.postMessage()
call.Performance.now()
offers better precision.Performance.measureUserAgentSpecificMemory()
can be called.
A document will be cross-origin isolated if it is returned with an HTTP response that includes the headers:
Cross-Origin-Opener-Policy
header with the directivesame-origin
.Cross-Origin-Embedder-Policy
header with the directiverequire-corp
orcredentialless
.
Access to the APIs must also be allowed by the Permissions-Policy
cross-origin-isolated
.
Otherwise crossOriginIsolated
property will return false
, and the document will not be able to use the APIs listed above with reduced restrictions.
Value
A boolean value.
Examples
Cross-origin isolating a document
To cross-origin isolate a document:
-
Set the
Cross-Origin-Opener-Policy
HTTP header tosame-origin
:httpCross-Origin-Opener-Policy: same-origin
-
Set the
Cross-Origin-Embedder-Policy
HTTP header torequire-corp
orcredentialless
:httpCross-Origin-Embedder-Policy: require-corp Cross-Origin-Embedder-Policy: credentialless
-
The
cross-origin-isolated
directive of thePermissions-Policy
header must not block access to the feature. Note that the default allowlist of the directive isself
, so the permission will be granted by default to cross-origin isolated documents.
Checking if the document is cross-origin isolated
const myWorker = new Worker("worker.js");
if (self.crossOriginIsolated) {
const buffer = new SharedArrayBuffer(16);
myWorker.postMessage(buffer);
} else {
const buffer = new ArrayBuffer(16);
myWorker.postMessage(buffer);
}
Specifications
Specification |
---|
HTML Standard # dom-crossoriginisolated-dev |
Browser compatibility
BCD tables only load in the browser