Document-Isolation-Policy

[camillelamy]

Introduction

Developers want to build applications that are fast using SharedArrayBuffers (SAB), which can improve computation time by ~40%. But SharedArrayBuffers allow to create high-precision timers that can be exploited in a Spectre attack, allowing to leak cross-origin user data. To mitigate the risk, SharedArrayBuffers are gated behind crossOriginIsolation (COI). CrossOriginIsolation requires to deploy both Cross-Origin-Opener-Policy (COOP) and Cross-Origin-Embedder-Policy (COEP). Both have proven hard to deploy, COOP because it prevents communication with cross-origin popups, and COEP because it imposes restrictions on third-party embeds. Finally, the whole COOP + COEP model is focused on providing access to SharedArrayBuffers to the top-level frame. Cross-origin embeds can only use SABs if their embedder deploys crossOriginIsolation and delegates the permission to use COI-gated APIs, making the availability of SABs in third-party iframes very unreliable.

Read the complete Explainer.

Feedback (Choose One)

Please provide all feedback below.

I welcome feedback in this thread, but encourage you to file bugs against the Explainer.

[ReinoutStevens]

I'm the CTO for a large gaming publisher website. We have been trying to get SharedArrayBuffers to work in our setup, with more and more support being added by the major web engines ( Unity, Godot ). But we have never been able to get advertisements to work. As these are our only source of income this is a must have. Credentialless iframes came close to solving things, but video ads never worked correctly. We have 0 control over these, and the ad tech sector is not known to quickly adapt to changes.

This document isolation policy seems promising as our use case is covered by it. Looking forward to trying it out.

[yoavweiss]

It seems like there's enough support for this, so I went ahead and created https://github.com/WICG/document-isolation-policy

Happy incubation! :)