W3cubDocs

/Web APIs

crossOriginIsolated global property

The global crossOriginIsolated read-only property returns a boolean value that indicates whether the website is in a cross-origin isolation state. That state mitigates the risk of side-channel attacks and unlocks a few capabilities:

SharedArrayBuffer can be created and sent via a Window.postMessage() call.
Performance.now() offers better precision.
Performance.measureUserAgentSpecificMemory() can be accessed.

A website is in a cross-origin isolated state, when the response header Cross-Origin-Opener-Policy has the value same-origin and the Cross-Origin-Embedder-Policy header has the value require-corp or credentialless.

Value

A boolean value.

Examples

const myWorker = new Worker("worker.js");

if (crossOriginIsolated) {
  const buffer = new SharedArrayBuffer(16);
  myWorker.postMessage(buffer);
} else {
  const buffer = new ArrayBuffer(16);
  myWorker.postMessage(buffer);
}

Specifications

Specification
HTML Standard # dom-crossoriginisolated-dev

Browser compatibility

	Desktop						Mobile
	Chrome	Edge	Firefox	Internet Explorer	Opera	Safari	WebView Android	Chrome Android	Firefox for Android	Opera Android	Safari on IOS	Samsung Internet
`crossOriginIsolated`	87	87	72	No	73	15.2	87	87	79	62	15.2	14.0
`worker_support`	87	87	72	No	73	No	87	87	79	62	No	14.0

Value

Examples

Specifications

Browser compatibility

See also