Cross-Origin Isolation Reference
What Is Cross-Origin Isolation?
Cross-origin isolation is a browser security mode that restricts how a page can interact with cross-origin resources. When enabled, it unlocks powerful APIs like SharedArrayBuffer that are otherwise disabled due to Spectre-class vulnerabilities.
Required Headers
Every HTTP response from SiliconGhetto deployments must include:
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy (COOP)
same-origin ensures the browsing context group only contains same-origin documents. Cross-origin popups opened from the page get their own separate browsing context.
Cross-Origin-Embedder-Policy (COEP)
require-corp requires all subresources to either be same-origin or explicitly opt into being loaded cross-origin via Cross-Origin-Resource-Policy or CORS headers.
What Cross-Origin Isolation Enables
| API | Without Isolation | With Isolation |
|---|---|---|
SharedArrayBuffer | Unavailable | Available |
performance.measureUserAgentSpecificMemory() | Unavailable | Available |
High-resolution performance.now() | Reduced precision (100μs) | Full precision (5μs) |
| WASM threads | Unavailable | Available |
Atomics.wait() | Unavailable | Available |
Checking Isolation Status
// In browser console or page script
if (crossOriginIsolated) {
console.log("Cross-origin isolation is active");
console.log("SharedArrayBuffer available:", typeof SharedArrayBuffer !== "undefined");
} else {
console.warn("Cross-origin isolation is NOT active");
console.warn("Check COOP/COEP headers");
}Server Configuration
Nginx
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Embedder-Policy "require-corp" always;Caddy
header Cross-Origin-Opener-Policy "same-origin"
header Cross-Origin-Embedder-Policy "require-corp"Python (dev server)
class Handler(SimpleHTTPRequestHandler):
def end_headers(self):
self.send_header("Cross-Origin-Opener-Policy", "same-origin")
self.send_header("Cross-Origin-Embedder-Policy", "require-corp")
super().end_headers()Impact on External Resources
When COEP is set to require-corp, every subresource must either:
- Be same-origin — loaded from the same domain
- Have CORS headers — respond with
Access-Control-Allow-Origin - Have CORP header — respond with
Cross-Origin-Resource-Policy: cross-origin
Resources That May Break
- Google Fonts (use self-hosted fonts instead)
- Third-party analytics scripts (use self-hosted analytics)
- External images without CORS (self-host or proxy)
- CDN-hosted libraries without CORP headers
Self-Hosting Strategy
SiliconGhetto self-hosts all assets:
- Fonts: Downloaded and served from the same origin
- Images: All images are first-party
- Scripts: No third-party JavaScript
- WASM: Built and served from the same origin
Troubleshooting
”SharedArrayBuffer is not defined”
The page is not cross-origin isolated. Check:
- COOP header is present and set to
same-origin - COEP header is present and set to
require-corp - No intermediary (CDN, proxy) is stripping the headers
”Failed to load resource” after enabling COEP
A cross-origin resource lacks CORS or CORP headers. Options:
- Self-host the resource
- Add CORS headers to the resource server
- Use a service worker to add headers (not recommended for production)
Checking Headers
curl -I https://siliconghetto.com/ | grep -i "cross-origin"Expected output:
cross-origin-opener-policy: same-origin
cross-origin-embedder-policy: require-corp