HOME
ABOUT
- RESULTS
- differences
- BENEFITS
- HISTORY
- TEAM
- LOCATION
- FACILITIES
- BANKING
- MEMBERSHIPS
- APPROVALS
- LICENCES
- SUPPLIERS
- SPONSORSHIPS
- MEDIA
- PRIVACY
AUCTIONS
SHIPPING
FEES
- TS REWARDS
TOOLS
guides
FAQ
CONTACT
- CONNECT

VEHICLES
BRAND
- JAPANESE CARS
  - DAIHATSU
  - EUNOS
  - FORD
  - HONDA
  - ISUZU
  - LEXUS
  - MAZDA
  - MITSUBISHI
  - MITSUOKA
  - NISSAN
  - SUBARU
  - SUZUKI
  - TOYOTA
- GERMAN CARS
- AMERICAN CARS
- BRITISH CARS
- ITALIAN CARS
- FRENCH CARS
- SWEDISH CARS
- KOREAN CARS
TYPE
- mobility
- VENDING
- instruction
- TAXIS
- AMBULANCES
- FIRE ENGINES
- HEARSES
- LIMOUSINES
- COMMERCIAL
CLASS
FUEL
TRUCKS
minitrucks
- DAIHATSU
- HONDA
- MAZDA
- MITSUBISHI
- NISSAN
- SUBARU
- SUZUKI
- DUMP
- CRANE
- CAMPER
- REFRIGERATED
- 4WD
- NEW
BUSES
MOTORHOMES
- YAHOO!
- RAKUTEN
- DEALER

PARTS
- FREE REPORT
- PARTS CONTAINERS
- PARTS SYSTEMS
- PARTS PROTECTION
- BODY SHELLS
- DISMANTLING
- ONLINE PARTS
- NEW PARTS
- INTERIOR PARTS
- EXTERIOR PARTS
  - BONNETS
  - BUMPERS
  - GRILLES
  - FENDERS
  - DOORS
  - TRUNKS
  - SPOILERS
  - LIGHTS
  - EMBLEMS
  - CAMERAS
- ENGINES
- TRANSMISSIONS
- WHEELS & TYRES
  - WHEELS
  - TYRES
CUTS
PERFORMANCE PARTS
TRUCK PARTS
MOTORBIKE PARTS
- MOTORBIKE ENGINES
- MOTORBIKE ACCESSORIES

MOTORBIKES
MARINE
FORKLIFTS
MACHINERY
AGRICULTURAL
OTHER
COUNTRY
- AUSTRALIA
- CANADA
- KENYA
- MYANMAR
- NEW ZEALAND
- PAKISTAN
- TANZANIA
- UNITED STATES

CARVIEW

MOTORHOMES

Select Language

HTTP/2 302 x-cloud-trace-context: 955838c2c6b8107ebde1576e6fe02321 location: /en-US/docs/Web/API/WindowOrWorkerGlobalScope/crossOriginIsolated via: 1.1 google, 1.1 varnish, 1.1 varnish, 1.1 varnish, 1.1 varnish accept-ranges: bytes cache-control: no-store server: Google Frontend content-type: text/plain; charset=utf-8 date: Thu, 25 Dec 2025 18:39:26 GMT x-served-by: cache-bfi-kbfi7400095-BFI, cache-bfi-kbfi7400092-BFI, cache-sin-wsat1880048-SIN, cache-bom-vanm7210097-BOM x-cache: MISS, MISS, MISS, MISS x-cache-hits: 0, 0, 0, 0 x-timer: S1766687966.790009,VS0,VE391 vary: Accept content-length: 87 HTTP/2 301 via: 1.1 google, 1.1 varnish, 1.1 varnish, 1.1 varnish, 1.1 varnish location: /en-US/docs/Web/API/Window/crossOriginIsolated content-type: text/plain; charset=utf-8 cache-control: max-age=2592000,public server: Google Frontend x-cloud-trace-context: 7706b7a1a604eca6f78428a23c461763 accept-ranges: bytes age: 182058 date: Thu, 25 Dec 2025 18:39:26 GMT x-served-by: cache-bfi-krnt7300040-BFI, cache-bfi-krnt7300073-BFI, cache-sin-wsss1830028-SIN, cache-bom-vanm7210097-BOM x-cache: MISS, MISS, HIT, MISS x-cache-hits: 0, 0, 1, 0 x-timer: S1766687966.194212,VS0,VE51 vary: Accept content-length: 80 HTTP/2 200 via: 1.1 google, 1.1 varnish, 1.1 varnish, 1.1 varnish x-goog-stored-content-length: 166162 server: Google Frontend content-type: text/html x-goog-generation: 1766624774675656 x-guploader-uploadid: AHVrFxPML0Re_8cBjND08o3FDHKDoSztHk6d5eON_b_0aW7GL0TL1N8OlBQ8RkEpvg1ccR8gxpNCBgA cache-control: public, max-age=3600 x-frame-options: DENY x-goog-storage-class: STANDARD etag: "6dd5ae445db8ebef8e6868a31b3f5e53" strict-transport-security: max-age=63072000 x-goog-hash: crc32c=bfz8Pg==, md5=bdWuRF246++OaGijGz9eUw== content-security-policy: default-src 'self'; script-src 'report-sample' 'self' 'wasm-unsafe-eval' https://www.google-analytics.com/analytics.js https://*.googletagmanager.com assets.codepen.io production-assets.codepen.io https://js.stripe.com 'sha256-XNBp89FG76amD8BqrJzyflxOF9PaWPqPqvJfKZPCv7M=' 'sha256-YCNoU9DNiinACbd8n6UPyB/8vj0kXvhkOni9/06SuYw=' 'sha256-PZjP7OR6mBEtnvXIZfCZ5PuOlxoDF1LDZL8aj8c42rw='; script-src-elem 'report-sample' 'self' 'wasm-unsafe-eval' https://www.google-analytics.com/analytics.js https://*.googletagmanager.com assets.codepen.io production-assets.codepen.io https://js.stripe.com 'sha256-XNBp89FG76amD8BqrJzyflxOF9PaWPqPqvJfKZPCv7M=' 'sha256-YCNoU9DNiinACbd8n6UPyB/8vj0kXvhkOni9/06SuYw=' 'sha256-PZjP7OR6mBEtnvXIZfCZ5PuOlxoDF1LDZL8aj8c42rw='; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self' developer.allizom.org bcd.developer.allizom.org bcd.developer.mozilla.org updates.developer.allizom.org updates.developer.mozilla.org https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://incoming.telemetry.mozilla.org https://observatory-api.mdn.allizom.net https://observatory-api.mdn.mozilla.net https://api.github.com/search/issues stats.g.doubleclick.net https://api.stripe.com; font-src 'self'; frame-src 'self' mdn.github.io *.mdnplay.dev *.mdnyalp.dev *.play.test.mdn.allizom.net https://v2.scrimba.com https://scrimba.com jsfiddle.net www.youtube-nocookie.com codepen.io survey.alchemer.com https://js.stripe.com; img-src 'self' data: *.githubusercontent.com *.googleusercontent.com *.gravatar.com mozillausercontent.com firefoxusercontent.com profile.stage.mozaws.net profile.accounts.firefox.com developer.mozilla.org mdn.dev wikipedia.org upload.wikimedia.org https://mdn.github.io/shared-assets/ https://mdn.dev/ https://*.google-analytics.com https://*.googletagmanager.com www.gstatic.com; manifest-src 'self'; media-src 'self' archive.org videos.cdn.mozilla.net https://mdn.github.io/shared-assets/; child-src 'self'; worker-src 'self'; x-goog-meta-goog-reserved-file-mtime: 1766623440 x-goog-stored-content-encoding: identity x-cloud-trace-context: d76dd9a5af61d21162af4e3b9b3288a5;o=1 last-modified: Thu, 25 Dec 2025 01:06:14 GMT expires: Thu, 25 Dec 2025 19:04:36 GMT referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff x-goog-metageneration: 1 origin-trial: AxVILwizhbMjxFeHOn1P3R8niO1RJY/smaK4B4d1rLzc1gTaxtXMSaTi+FoigYgCw40uFRDwFcEAeqDR+vVLOW4AAABfeyJvcmlnaW4iOiJodHRwczovL2RldmVsb3Blci5tb3ppbGxhLm9yZyIsImZlYXR1cmUiOiJQcml2YXRlQXR0cmlidXRpb25WMiIsImV4cGlyeSI6MTc0MjA3OTYwMH0= content-encoding: gzip accept-ranges: bytes age: 2089 date: Thu, 25 Dec 2025 18:39:26 GMT x-served-by: cache-sin-wsat1880091-SIN, cache-sin-wsat1880091-SIN, cache-bom-vanm7210097-BOM x-cache: MISS, HIT, MISS x-cache-hits: 0, 1, 0 x-timer: S1766687966.258875,VS0,VE53 vary: Accept-Encoding content-length: 21420 Window: crossOriginIsolated property - Web APIs | MDN

Skip to main content
Skip to search

HTML: Markup language

HTML reference

Elements
Global attributes
Attributes
See all…

HTML guides

Responsive images
HTML cheatsheet
Date & time formats
See all…

Markup languages

SVG
MathML
XML

CSS: Styling language

CSS reference

Properties
Selectors
At-rules
Values
See all…

CSS guides

Box model
Animations
Flexbox
Colors
See all…

Layout cookbook

Column layouts
Centering an element
Card component
See all…

JavaScript: Scripting language

JS reference

Standard built-in objects
Expressions & operators
Statements & declarations
Functions
See all…

JS guides

Control flow & error handing
Loops and iteration
Working with objects
Using classes
See all…

Web APIs: Programming interfaces

Web API reference

File system API
Fetch API
Geolocation API
HTML DOM API
Push API
Service worker API
See all…

Web API guides

Using the Web animation API
Using the Fetch API
Working with the History API
Using the Web speech API
Using web workers

All web technology

Technologies

Accessibility
HTTP
URI
Web extensions
WebAssembly
WebDriver
See all…

Topics

Media
Performance
Privacy
Security
Progressive web apps

Learn web development

Frontend developer course

Getting started modules
Core modules
MDN Curriculum

Learn HTML

Structuring content with HTML module

Learn CSS

CSS styling basics module
CSS layout module

Learn JavaScript

Dynamic scripting with JavaScript module

Discover our tools

Playground
HTTP Observatory

Border-image generator
Border-radius generator
Box-shadow generator
Color format converter
Color mixer
Shape generator

Get to know MDN better

About MDN
Advertise with us

Community
MDN on GitHub

Blog

Web
Web APIs
Window
crossOriginIsolated

Window: crossOriginIsolated property

The crossOriginIsolated read-only property of the Window interface returns a boolean value that indicates whether the document is cross-origin isolated.

A cross-origin isolated document only shares its browsing context group with same-origin documents in popups and navigations, and resources (both same-origin and cross-origin) that the document has opted into using via CORS (and COEP for <iframe>). The relationship between a cross-origin opener of the document or any cross-origin popups that it opens are severed. The document may also be hosted in a separate OS process alongside other documents with which it can communicate by operating on shared memory. This mitigates the risk of side-channel attacks and cross-origin attacks referred to as XS-Leaks.

Cross-origin isolated documents operate with fewer restrictions when using the following APIs:

SharedArrayBuffer can be created and sent via a Window.postMessage() or a MessagePort.postMessage() call.
Performance.now() offers better precision.
Performance.measureUserAgentSpecificMemory() can be called.

A document will be cross-origin isolated if it is returned with an HTTP response that includes the headers:

Cross-Origin-Opener-Policy header with the directive same-origin.
Cross-Origin-Embedder-Policy header with the directive require-corp or credentialless.

Access to the APIs must also be allowed by the Permissions-Policy cross-origin-isolated. Otherwise crossOriginIsolated property will return false, and the document will not be able to use the APIs listed above with reduced restrictions.

Set the Cross-Origin-Opener-Policy HTTP header to same-origin:
http
```
Cross-Origin-Opener-Policy: same-origin
```

Set the Cross-Origin-Embedder-Policy HTTP header to require-corp or credentialless:

http

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Embedder-Policy: credentialless

The cross-origin-isolated directive of the Permissions-Policy header must not block access to the feature. Note that the default allowlist of the directive is self, so the permission will be granted by default to cross-origin isolated documents.

Checking if the document is cross-origin isolated

const myWorker = new Worker("worker.js");
if (window.crossOriginIsolated) {
  const buffer = new SharedArrayBuffer(16);
  myWorker.postMessage(buffer);
} else {
  const buffer = new ArrayBuffer(16);
  myWorker.postMessage(buffer);
}

Specifications

Specification
HTML # dom-crossoriginisolated-dev

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on ⁨Mar 13, 2025⁩ by MDN contributors.

View this page on GitHub • Report a problem with this content

Document Object Model (DOM)
Window
Instance properties
1. caches
2. closed
3. cookieStore
4. credentialless Experimental
5. crossOriginIsolated
6. crypto
7. customElements
8. devicePixelRatio
9. document
10. documentPictureInPicture Experimental
11. event Deprecated
12. external Deprecated
13. fence Experimental
14. frameElement
15. frames
16. fullScreen Non-standard
17. history
18. indexedDB
19. innerHeight
20. innerWidth
21. isSecureContext
22. launchQueue Experimental
23. length
24. localStorage
25. location
26. locationbar
27. menubar
28. mozInnerScreenX Non-standard
29. mozInnerScreenY Non-standard
30. name
31. navigation
32. navigator
33. opener
34. orientation Deprecated
35. origin
36. originAgentCluster
37. outerHeight
38. outerWidth
39. parent
40. performance
41. personalbar
42. scheduler
43. screen
44. screenLeft
45. screenTop
46. screenX
47. screenY
48. scrollbars
49. scrollMaxX Non-standard
50. scrollMaxY Non-standard
51. scrollX
52. scrollY
53. self
54. sessionStorage
55. sharedStorage Deprecated
56. speechSynthesis
57. status Deprecated
58. statusbar
59. toolbar
60. top
61. trustedTypes
62. viewport Experimental
63. visualViewport
64. window
Instance methods
1. alert()
2. atob()
3. blur() Deprecated
4. btoa()
5. cancelAnimationFrame()
6. cancelIdleCallback()
7. captureEvents() Deprecated
8. clearImmediate() Non-standard Deprecated
9. clearInterval()
10. clearTimeout()
11. close()
12. confirm()
13. createImageBitmap()
14. dump() Non-standard
15. fetch()
16. fetchLater() Experimental
17. find() Non-standard
18. focus()
19. getComputedStyle()
20. getDefaultComputedStyle() Non-standard
21. getScreenDetails() Experimental
22. getSelection()
23. matchMedia()
24. moveBy()
25. moveTo()
26. open()
27. postMessage()
28. print()
29. prompt()
30. queryLocalFonts() Experimental
31. queueMicrotask()
32. releaseEvents() Deprecated
33. reportError()
34. requestAnimationFrame()
35. requestFileSystem() Non-standard Deprecated
36. requestIdleCallback()
37. resizeBy()
38. resizeTo()
39. scroll()
40. scrollBy()
41. scrollByLines() Non-standard
42. scrollByPages() Non-standard
43. scrollTo()
44. setImmediate() Non-standard Deprecated
45. setInterval()
46. setResizable() Non-standard Deprecated
47. setTimeout()
48. showDirectoryPicker() Experimental
49. showOpenFilePicker() Experimental
50. showSaveFilePicker() Experimental
51. sizeToContent() Non-standard
52. stop()
53. structuredClone()
54. webkitConvertPointFromNodeToPage() Non-standard Deprecated
55. webkitConvertPointFromPageToNode() Non-standard Deprecated
Events
1. afterprint
2. appinstalled
3. beforeinstallprompt
4. beforeprint
5. beforeunload
6. blur
7. devicemotion
8. deviceorientation
9. deviceorientationabsolute
10. error
11. focus
12. gamepadconnected
13. gamepaddisconnected
14. hashchange
15. languagechange
16. load
17. message
18. messageerror
19. offline
20. online
21. orientationchange Deprecated
22. pagehide
23. pagereveal
24. pageshow
25. pageswap
26. popstate
27. rejectionhandled
28. resize
29. scrollsnapchange Experimental
30. scrollsnapchanging Experimental
31. storage
32. unhandledrejection
33. unload
34. vrdisplayactivate Non-standard Deprecated
35. vrdisplayconnect Non-standard Deprecated
36. vrdisplaydeactivate Non-standard Deprecated
37. vrdisplaydisconnect Non-standard Deprecated
38. vrdisplaypresentchange Non-standard Deprecated
Inheritance
1. EventTarget
Related pages for DOM
Guides

Your blueprint for a better internet.

MDN

About
Blog
Mozilla careers
Advertise with us
MDN Plus
Product help

Contribute

MDN Community
Community resources
Writing guidelines
MDN Discord
MDN on GitHub

Developers

Web technologies
Learn web development
Guides
Tutorials
Glossary
Hacks blog

Website Privacy Notice
Telemetry Settings
Legal
Community Participation Guidelines

Visit Mozilla Corporation’s not-for-profit parent, the Mozilla Foundation.
Portions of this content are ©1998–⁨2025⁩ by individual mozilla.org contributors. Content available under a Creative Commons license.

HOME
ABOUT
AUCTIONS
SHIPPING
FEES
TOOLS
HOW
FAQ
CONTACT

Original Source | Taken Source

Window: crossOriginIsolated property

Value

Examples

Cross-origin isolating a document

Checking if the document is cross-origin isolated

Specifications

Browser compatibility

See also

Help improve MDN