Hi all,
As part of our response to side-channel attacks like Spectre, Chromium disabled SharedArrayBuffer globally, and then re-enabled it on platforms where we could comfortably deploy Site Isolation. Since then, we've been working through new isolation primitives in collaboration with other browser vendors that we believe will enable us to safely re-enable SharedArrayBuffers on all platforms.
COOP and COEP will be shipping along with M83, and together allow developers to opt-into a "cross-origin isolated" state which substantially mitigates the risk that cross-origin data can accidentally flow into a process an attacker can poke at. Our plan is to enable SharedArrayBuffer on all platforms, only for pages that opt-into such protections.
We'd like feedback on the following rough timeline:
M85 (Aug, 2020): Re-enable SharedArrayBuffer on Android for cross-origin isolated pages
M89 (Mar, 2021):
We'll migrate the usage of SharedArrayBuffer on desktop platforms to also require a "cross-origin isolated" state, and as such align desktop and mobile platforms. Further information will be provided later this year. If you anticipate challenges for your side transitioning to this requirement, please reach out to va...@chromium.org or respond on this thread.
A reverse origin-trial will be offered to allow developers to keep the status quo behavior for the next two milestones
M91 (May, 2021): We'll remove the reverse origin-trial. SharedArrayBuffer can only be used on isolated pages.
The migration on desktop will unify the behavior between platforms and browsers, as Firefox is also going to require COOP/COEP in order to provide access to SharedArrayBuffers.
If you want to feature-detect for the availability of SharedArrayBuffers please follow this advice.
Additional info about COOP/COEP and why you should start using it right away can be found here:
Lutz Vahl
Technical Program Manager
Google Germany GmbH
Erika-Mann-Strasse 36
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Diese E-Mail ist vertraulich. Falls Sie diese fälschlicherweise erhalten haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter, löschen Sie alle Kopien und Anhänge davon und lassen Sie mich bitte wissen, dass die E-Mail an die falsche Person gesendet wurde.
This e-mail is confidential. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let me know that it has gone to the wrong person.
Hi all,
As part of our response to side-channel attacks like Spectre, Chromium disabled SharedArrayBuffer globally, and then re-enabled it on platforms where we could comfortably deploy Site Isolation. Since then, we've been working through new isolation primitives in collaboration with other browser vendors that we believe will enable us to safely re-enable SharedArrayBuffers on all platforms.
COOP and COEP will be shipping along with M83, and together allow developers to opt-into a "cross-origin isolated" state which substantially mitigates the risk that cross-origin data can accidentally flow into a process an attacker can poke at. Our plan is to enable SharedArrayBuffer on all platforms, only for pages that opt-into such protections.
We'd like feedback on the following rough timeline:
M85 (Aug, 2020): Re-enable SharedArrayBuffer on Android for cross-origin isolated pages
M89 (Mar, 2021):
We'll migrate the usage of SharedArrayBuffer on desktop platforms to also require a "cross-origin isolated" state, and as such align desktop and mobile platforms. Further information will be provided later this year. If you anticipate challenges for your side transitioning to this requirement, please reach out to va...@chromium.org or respond on this thread.
A reverse origin-trial will be offered to allow developers to keep the status quo behavior for the next two milestones
M91 (May, 2021): We'll remove the reverse origin-trial. SharedArrayBuffer can only be used on isolated pages.
The migration on desktop will unify the behavior between platforms and browsers, as Firefox is also going to require COOP/COEP in order to provide access to SharedArrayBuffers.
If you want to feature-detect for the availability of SharedArrayBuffers please follow this advice.
Additional info about COOP/COEP and why you should start using it right away can be found here:
Lutz Vahl
Technical Program Manager