1. Use origin instead of site as agent cluster key for cross-origin isolated agent clusters. document.domain mutation is no-op for agents in cross-origin isolated agent clusters. 2. Introduce cross-origin isolated permission (https://w3c.github.io/webappsec-feature-policy/). 3. Introduce self.crossOriginIsolated returning whether the surrounding agent cluster is cross-origin isolated and the environment has the cross-origin isolated permission.


Following Spectre/Meldown discovery, sensitive APIs such as SharedArrayBuffer were disabled on certain platforms with a lot of shared processes (e.g. Android). We want to give developers the opportunity to use these features, while maintaining a good security level. We believe COOP and COEP ensure sufficient security boundaries. When we have both COOP and COEP set we set crossOriginIsolated to true, which in the long run will allow the use of such powerful APIs.



Specification link

Specification being incubated in a Community Group

Status in Chromium


Enabled by default (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.


Search tags

COOP, COEP, crossOriginIsolated, COI,

Last updated on 2021-12-13