Cinevva

English

简体中文

English

简体中文

Appearance

Cross-Origin Isolation Checker

Find out whether this page is cross-origin isolated, and whether SharedArrayBuffer and multithreaded WebAssembly will work. The tool reads the page's COOP and COEP headers and runs a live shared-memory test between the main thread and a Web Worker. It all runs locally, nothing is uploaded.

Checking your own site

This tool checks the page it's loaded on. To test your own headers, drop the same checks into a page on your site, or open your site and run crossOriginIsolated in the browser console.

Why Cross-Origin Isolation Matters for Web Games

Some of the most useful browser capabilities are locked behind cross-origin isolation, and for games the big one is SharedArrayBuffer, the shared memory that makes multithreaded WebAssembly possible. If your engine ships a threaded web build, it won't run without it:

  • Godot web exports historically required SharedArrayBuffer (Godot 4.3+ added a single-threaded export to avoid the headers).
  • Unity multithreaded WebGL builds need it.
  • Emscripten pthreads, ffmpeg.wasm, and many physics and codec libraries need it too.

Without isolation the browser also withholds high-resolution timers and performance.measureUserAgentSpecificMemory(). So if a threaded game silently fails to load, or performance.now() looks suspiciously coarse, an isolation check is the first thing to run.

How Cross-Origin Isolation Works

A page becomes cross-origin isolated when it sends two response headers on the HTML document:

Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp

COOP: same-origin cuts the page off from other windows that aren't same-origin. COEP: require-corp says every subresource must explicitly opt in to being embedded. When both are set, self.crossOriginIsolated becomes true and SharedArrayBuffer is unlocked.

The catch is COEP: once it's on, every cross-origin resource (CDN images, fonts, scripts, iframes) must send Cross-Origin-Resource-Policy: cross-origin or be fetched with CORS, or the browser blocks it. That's the part that usually breaks sites. If you can't control your third-party resources, use Cross-Origin-Embedder-Policy: credentialless instead, which loads cross-origin resources without credentials rather than requiring them to opt in.

How to Enable It

Cloudflare Pages (a _headers file):

/*
  Cross-Origin-Opener-Policy: same-origin
  Cross-Origin-Embedder-Policy: require-corp

Vite dev server (vite.config.js):

js
export default {
  server: {
    headers: {
      'Cross-Origin-Opener-Policy': 'same-origin',
      'Cross-Origin-Embedder-Policy': 'require-corp',
    },
  },
}

nginx:

add_header Cross-Origin-Opener-Policy same-origin;
add_header Cross-Origin-Embedder-Policy require-corp;

itch.io: enable "SharedArrayBuffer support" in your HTML game's embed options, which sets the headers for you.

After deploying, reload and re-run the checker. crossOriginIsolated should flip to true.

Common Questions

How do I check if my page is cross-origin isolated?

Run this tool on the page, or open your browser console and check crossOriginIsolated. If it returns true, the page is isolated and SharedArrayBuffer is available. This tool also reads your COOP/COEP headers and runs a live worker test so you can see shared memory actually working.

Why is SharedArrayBuffer undefined?

Browsers only expose SharedArrayBuffer to cross-origin isolated pages. If it's undefined, your page is missing the Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Embedder-Policy: require-corp headers, or a cross-origin resource is blocking isolation under COEP. Set the headers (see above) and re-test.

What are COOP and COEP?

Cross-Origin-Opener-Policy (COOP) controls how a page interacts with other browsing windows. Cross-Origin-Embedder-Policy (COEP) controls which subresources can be embedded. Setting COOP: same-origin and COEP: require-corp together makes a page cross-origin isolated, which unlocks SharedArrayBuffer and other powerful features.

My WebAssembly game won't load in the browser. Is this why?

Often, yes. Threaded WebAssembly builds (some Godot and Unity web exports, Emscripten pthreads, ffmpeg.wasm) need SharedArrayBuffer, which requires cross-origin isolation. If the checker above shows "not isolated," set the COOP/COEP headers, or use a single-threaded build of the engine where available.

Does enabling COEP break my third-party embeds?

It can. With COEP: require-corp, every cross-origin resource must send Cross-Origin-Resource-Policy or use CORS, otherwise it's blocked. If you embed CDN assets or third-party scripts you don't control, use COEP: credentialless instead, which avoids that requirement.