1. Use origin instead of site as agent cluster key for cross-origin isolated agent clusters. document.domain mutation is no-op for agents in cross-origin isolated agent clusters. 2. Introduce cross-origin isolated permission (https://w3c.github.io/webappsec-feature-policy/). 3. Introduce self.crossOriginIsolated returning whether the surrounding agent cluster is cross-origin isolated and the environment has the cross-origin isolated permission.
Following Spectre/Meldown discovery, sensitive APIs such as SharedArrayBuffer were disabled on certain platforms with a lot of shared processes (e.g. Android). We want to give developers the opportunity to use these features, while maintaining a good security level. We believe COOP and COEP ensure sufficient security boundaries. When we have both COOP and COEP set we set crossOriginIsolated to true, which in the long run will allow the use of such powerful APIs.
Status in Chromium
Enabled by default (tracking bug) in:
- Chrome for desktop release 87
- Chrome for Android release 87
Consensus & Standardization
- No signal
- No signal
- No signals
Search tagsCOOP, COEP, crossOriginIsolated, COI,
Last updated on 2021-05-19