Note: This feature is only available in Web Workers.
The crossOriginIsolated read-only property of the WorkerGlobalScope interface returns a boolean value that indicates whether the document is cross-origin isolated.
A cross-origin isolated document only shares its browsing context group with same-origin documents in popups and navigations, and resources (both same-origin and cross-origin) that the document has opted into using via CORS (and COEP for <iframe>). The relationship between a cross-origin opener of the document or any cross-origin popups that it opens are severed. The document may also be hosted in a separate OS process alongside other documents with which it can communicate by operating on shared memory. This mitigates the risk of side-channel attacks and cross-origin attacks referred to as XS-Leaks.
Cross-origin isolated documents operate with fewer restrictions when using the following APIs:
SharedArrayBuffer can be created and sent via a DedicatedWorkerGlobalScope.postMessage() or a MessagePort.postMessage() call.Performance.now() offers better precision.Performance.measureUserAgentSpecificMemory() can be called.A document will be cross-origin isolated if it is returned with an HTTP response that includes the headers:
Cross-Origin-Opener-Policy header with the directive same-origin.Cross-Origin-Embedder-Policy header with the directive require-corp or credentialless.Access to the APIs must also be allowed by the Permissions-Policy cross-origin-isolated. Otherwise crossOriginIsolated property will return false, and the document will not be able to use the APIs listed above with reduced restrictions.
A boolean value.
To cross-origin isolate a document:
Set the Cross-Origin-Opener-Policy HTTP header to same-origin:
Cross-Origin-Opener-Policy: same-origin
Set the Cross-Origin-Embedder-Policy HTTP header to require-corp or credentialless:
Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Embedder-Policy: credentialless
The cross-origin-isolated directive of the Permissions-Policy header must not block access to the feature. Note that the default allowlist of the directive is self, so the permission will be granted by default to cross-origin isolated documents.
const myWorker = new Worker("worker.js");
if (self.crossOriginIsolated) {
const buffer = new SharedArrayBuffer(16);
myWorker.postMessage(buffer);
} else {
const buffer = new ArrayBuffer(16);
myWorker.postMessage(buffer);
}
| Specification |
|---|
| HTML> # dom-crossoriginisolated-dev> |
| Desktop | Mobile | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Chrome | Edge | Firefox | Opera | Safari | Chrome Android | Firefox for Android | Opera Android | Safari on IOS | Samsung Internet | WebView Android | WebView on iOS | |
crossOriginIsolated |
87 | 87 | 72 | 73 | 15.2 | 87 | 79 | 62 | 15.2 | 14.0 | 87 | 15.2 |
© 2005–2025 MDN contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/API/WorkerGlobalScope/crossOriginIsolated