ThecrossOriginIsolated read-only property of theWindow interface returns a boolean value that indicates whether the document is cross-origin isolated.

A cross-origin isolated document only shares itsbrowsing context group with same-origin documents in popups and navigations, and resources (both same-origin and cross-origin) that the document has opted into using viaCORS (andCOEP for<iframe>).The relationship between a cross-origin opener of the document or any cross-origin popups that it opens are severed.The document may also be hosted in a separate OS process alongside other documents with which it can communicate by operating on shared memory.This mitigates the risk of side-channel attacks and cross-origin attacks referred to asXS-Leaks.

Cross-origin isolated documents operate with fewer restrictions when using the following APIs:

• SharedArrayBuffer can be created and sent via aWindow.postMessage() or aMessagePort.postMessage() call.
• Performance.now() offers better precision.
• Performance.measureUserAgentSpecificMemory() can be called.

A document will be cross-origin isolated if it is returned with an HTTP response that includes the headers:

• Cross-Origin-Opener-Policy header with the directivesame-origin.
• Cross-Origin-Embedder-Policy header with the directiverequire-corp orcredentialless.

Access to the APIs must also be allowed by thePermissions-Policycross-origin-isolated.OtherwisecrossOriginIsolated property will returnfalse, and the document will not be able to use the APIs listed above with reduced restrictions.

Value

A boolean value.

Examples

Cross-origin isolating a document

To cross-origin isolate a document:

• Set theCross-Origin-Opener-Policy HTTP header tosame-origin:

  http

  Cross-Origin-Opener-Policy: same-origin

• Set theCross-Origin-Embedder-Policy HTTP header torequire-corp orcredentialless:

  http

  Cross-Origin-Embedder-Policy: require-corpCross-Origin-Embedder-Policy: credentialless

• Thecross-origin-isolated directive of thePermissions-Policy header must not block access to the feature.Note that the default allowlist of the directive isself, so the permission will be granted by default to cross-origin isolated documents.

Checking if the document is cross-origin isolated

const myWorker = new Worker("worker.js");if (window.crossOriginIsolated) {  const buffer = new SharedArrayBuffer(16);  myWorker.postMessage(buffer);} else {  const buffer = new ArrayBuffer(16);  myWorker.postMessage(buffer);}

Specifications

Browser compatibility

See also

• WorkerGlobalScope.crossOriginIsolated