ThecrossOriginIsolated read-only property of theWindow interface returns a boolean value that indicates whether the document is cross-origin isolated.

A cross-origin isolated document only shares itsbrowsing context group with same-origin documents in popups and navigations, and resources (both same-origin and cross-origin) that the document has opted into using viaCORS (andCOEP for<iframe>).The relationship between a cross-origin opener of the document or any cross-origin popups that it opens are severed.The document may also be hosted in a separate OS process alongside other documents with which it can communicate by operating on shared memory.This mitigates the risk of side-channel attacks and cross-origin attacks referred to asXS-Leaks.

Cross-origin isolated documents operate with fewer restrictions when using the following APIs:

• SharedArrayBuffer can be created and sent via aWindow.postMessage() or aMessagePort.postMessage() call.
• Performance.now() offers better precision.
• Performance.measureUserAgentSpecificMemory() can be called.

A document will be cross-origin isolated if it is returned with an HTTP response that includes the headers:

• Cross-Origin-Opener-Policy header with the directivesame-origin.
• Cross-Origin-Embedder-Policy header with the directiverequire-corp orcredentialless.

Access to the APIs must also be allowed by thePermissions-Policycross-origin-isolated.OtherwisecrossOriginIsolated property will returnfalse, and the document will not be able to use the APIs listed above with reduced restrictions.

This page was last modified onMar 13, 2025 byMDN contributors.