Intent to Ship: cross-origin isolation

Skip to first unread message

Arthur Hemery

Sep 28, 2020, 11:24:37 AM9/28/20

Contact emails,


Explainer for COOP/COEP, from which it is derived.

As a general rule, a page is said to be cross-origin isolated if it has both COOP set to “same-origin” and COEP set to “require-corp”. Cross-origin isolation itself is a three part change:

1. Use origin instead of site as agent cluster key for cross-origin isolated agent clusters. document.domain mutation is no-op for agents in cross-origin isolated agent clusters.

2. Introduce cross-origin isolated permission (

3. Introduce self.crossOriginIsolated returning whether the surrounding agent cluster is cross-origin isolated and the environment has the cross-origin isolated permission.

Note: Service Worker support is still under active development due to unforeseen complexities.
This complementary part is expected to be fully complete in 88 or 89.

Specification for the interfaces working with crossOriginIsolated.

Design docs

Blink component


TAG review

None. This is not a new feature, but instead an update of our implementation to match previously-agreed-upon and specified security consequences of existing, already-reviewed features (the Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy headers). There is some discussion about the combination of those, and their impact on enabling powerful features, in

TAG review status

Not applicable




Interoperability and Compatibility

This change has a compatibility risk, as (1) is a breaking change.

The risk should be small, given only the web developers who have already enabled COOP+COEP are affected, and according to the number is still small (0.00127% for COEP: require-corp).



Gecko: Shipped/Shipping (


WebKit: No signal


Web developers: No signals



This is security positive, comes with a bunch of restrictions regarding processes, document.domain, etc. Pushes COOP/COEP usage which is also security positive.


Already working with devtools on COOP and COEP which enable this feature.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

No COOP/COEP and hence crossOriginIsolated are not supported in Webview.

Is this feature fully tested by web-platform-tests?


Tracking bug

Link to entry on the Chrome Platform Status

Mike West

Sep 28, 2020, 11:56:59 AM9/28/20
to blink-dev, Arthur Hemery
LGTM1. This is a pretty critical part of the story we want to be telling around the defensible security boundaries developers can expect the browser to enforce in the face of side-channel attacks. It's a clear continuation of the intents to ship COOP and COEP, and is a primitive that other features (like `performance.memoryManagement`) are conceptually relying upon. I'm happy we're following Firefox's implementation with our own.

I wouldn't frame this as a breaking change. Opting into COOP/COEP is supposed to prevent `document.domain` from relaxing the page's security boundary beyond the origin; that's part of what developers are opting-into. The fact that we aren't doing this today is a security issue in our initial implementation that's resolved by this intent. :)

Gecko: Shipped/Shipping (


WebKit: No signal

It would likely be a good idea to drop our friends at WebKit a line again to ask about their plans, now that Firefox and Chromium both have implementations of COOP/COEP and the underlying isolation model.

Web developers: No signals

FWIW, developers on Google's security team are excited about this mechanism as a mitigation for some exciting side-channel attacks that are otherwise difficult to defend against. They're doing the work to roll out COOP and COEP in order to obtain exactly this security boundary.

Yoav Weiss

Sep 30, 2020, 10:31:31 AM9/30/20
to Mike West, blink-dev, Arthur Hemery

You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

Chris Harrelson

Sep 30, 2020, 11:29:12 AM9/30/20
to Yoav Weiss, Mike West, blink-dev, Arthur Hemery
Reply all
Reply to author
0 new messages