Window: crossOriginIsolated property

The crossOriginIsolated read-only property of the Window interface returns a boolean value that indicates whether the document is cross-origin isolated.

A cross-origin isolated document only shares its browsing context group with same-origin documents in popups and navigations, and resources (both same-origin and cross-origin) that the document has opted into using via CORS (and COEP for <iframe>). The relationship between a cross-origin opener of the document or any cross-origin popups that it opens are severed. The document may also be hosted in a separate OS process alongside other documents with which it can communicate by operating on shared memory. This mitigates the risk of side-channel attacks and cross-origin attacks referred to as XS-Leaks.

Cross-origin isolated documents operate with fewer restrictions when using the following APIs:

• SharedArrayBuffer can be created and sent via a Window.postMessage() or a MessagePort.postMessage() call.
• Performance.now() offers better precision.
• Performance.measureUserAgentSpecificMemory() can be accessed.

A document will be cross-origin isolated if it is returned with an HTTP response that includes the headers:

• Cross-Origin-Opener-Policy header with the directive same-origin.
• Cross-Origin-Embedder-Policy header with the directive require-corp or credentialless.

const myWorker = new Worker("worker.js");

if (window.crossOriginIsolated) {
  const buffer = new SharedArrayBuffer(16);
  myWorker.postMessage(buffer);
} else {
  const buffer = new ArrayBuffer(16);
  myWorker.postMessage(buffer);
}