What unlocks crossOriginIsolated?

A document is cross-origin isolated only when it sends both Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Embedder-Policy: require-corp (or credentialless). Once isolated, window.crossOriginIsolated is true and SharedArrayBuffer and high-resolution timers become available.

Cross-Origin-Resource-Policy is set by a resource to say who may embed it: same-origin, same-site or cross-origin. Under COEP require-corp, any cross-origin subresource must send CORP cross-origin (or be fetched with CORS) or it is blocked.

What is the difference between require-corp and credentialless?

require-corp demands each cross-origin resource opt in via CORP or CORS. credentialless still isolates the page but fetches no-CORS cross-origin resources without credentials instead of requiring CORP, easing adoption while keeping isolation.

Why does COOP matter for popups?

Cross-Origin-Opener-Policy: same-origin severs the window.opener relationship with cross-origin documents, putting your page in its own browsing-context group. This both hardens against cross-window attacks and is a prerequisite for cross-origin isolation.

Does this tool change any headers?

No. It only explains the values and computes the isolation outcome locally. You still set the real headers on your server or CDN.

COEP / CORP / COOP Headers Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Earning cross-origin isolation

Powerful web APIs such as SharedArrayBuffer and unthrottled performance.now() are gated behind cross-origin isolation. A document earns it by combining three headers — Cross-Origin-Opener-Policy (COOP), Cross-Origin-Embedder-Policy (COEP) and, on its subresources, Cross-Origin-Resource-Policy (CORP). This reference covers each header’s values and computes whether a given COOP/COEP pair isolates the page.

How it works

COOP controls the document’s browsing-context group; COEP controls how it may embed cross-origin resources; CORP is set by each resource to declare who may embed it:

Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: cross-origin

Isolation is granted only when the top-level document sends COOP: same-origin and COEP: require-corp or credentialless. With require-corp, every cross-origin subresource must opt in with a CORP header (or be loaded via CORS) or the browser blocks it. credentialless relaxes that by loading no-CORS cross-origin resources without credentials.

Tips and notes

Both COOP and COEP must be present and correct — one alone does nothing.
Audit subresources before enabling COEP; missing CORP/CORS will break images, scripts and fonts.
COOP: same-origin-allow-popups keeps opener for popups you open but does not enable isolation.
Check self.crossOriginIsolated at runtime to confirm the page is isolated.
Prefer credentialless for faster rollout when you cannot add CORP to every dependency.