Window: crossOriginIsolated property
The crossOriginIsolated
read-only property of the Window
interface returns a boolean value that
indicates whether the website is in a cross-origin isolation state. That state mitigates the risk of side-channel attacks and unlocks a few capabilities:
SharedArrayBuffer
can be created and sent via aWindow.postMessage()
or aMessagePort.postMessage()
call.Performance.now()
offers better precision.Performance.measureUserAgentSpecificMemory()
can be accessed.
A website is in a cross-origin isolated state, when the response header Cross-Origin-Opener-Policy
has the value same-origin
and the Cross-Origin-Embedder-Policy
header has the value require-corp
or credentialless
.
Value
A boolean value.
Examples
js
const myWorker = new Worker("worker.js");
if (window.crossOriginIsolated) {
const buffer = new SharedArrayBuffer(16);
myWorker.postMessage(buffer);
} else {
const buffer = new ArrayBuffer(16);
myWorker.postMessage(buffer);
}
Specifications
Specification |
---|
HTML Standard # dom-crossoriginisolated-dev |
Browser compatibility
BCD tables only load in the browser