Chrome 91 will enable cross-domain restrictions with SharedArrayBuffer

It is expected that starting from Chrome 91 in May this year, all platforms will need to enable cross-domain isolation to access APIs such as SharedArrayBuffer and performance.measureUserAgentSpecificMemory(). This will align the desktop platform with Android, which released this restriction in Chrome 88.

If you need to use these APIs, you must provide the following headers for the page to ensure that the page is isolated across domains:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

After performing this operation, unless the resource is explicitly allowed by the Cross-Origin-Resource-Policy header or CORS header (Access-Control-Allow- * etc.), the page will not be able to load cross-domain content.

SharedArrayBuffer was introduced in Chrome 60 in July 2017. However, a serious vulnerability was discovered in January 2018. In some mainstream CPUs, the data cache timing may be abused, causing the code to read memory that it should not access.

At that time, after reducing the frequency of timers such as performance.now() and still unable to solve the problem, Chrome chose to completely disable SharedArrayBuffer. It was not until July 18 that Chrome 68 took cross-domain read blocking and other mitigation measures before reopening SharedArrayBuffer.

However, this solution still has shortcomings. Not only is it impossible to perform the same operations on mobile devices, but it also prevents “incorrect” data formats and cannot prevent valid CSS/JS/images in the URL that may contain private data. Therefore, Chrome now proposes a more complete solution, which is to complete the cross-domain isolation declaration through the COOP and COEP headers attached to the page to access SharedArrayBuffer and other APIs with similar functions, and you can use Cross-Origin-Resource-Policy or CORS embedded in other content.

Firefox first released this restriction in version 79 in July 2020, while Chrome 88 was introduced in Android, and the desktop will be introduced from Chrome 91. For more information about cross-domain restrictions, please refer to its official blog.