Enable Wasm threads (SharedArrayBuffer) with COOP/COEP
If your web game (or engine export) uses WebAssembly threads, it often relies on SharedArrayBuffer. Modern browsers require cross-origin isolation for that.
1) Quick check: are you isolated?
Open DevTools and run:
js
self.crossOriginIsolatedIf it’s true, you’re in the right security state for SharedArrayBuffer.
Official reference:
https://developer.mozilla.org/docs/Web/API/Window/crossOriginIsolated
2) The two headers you need
Serve these response headers on your HTML (and typically across your app):
http
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corpOfficial references:
https://web.dev/articles/why-coop-coephttps://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBufferhttps://developer.chrome.com/blog/enabling-shared-array-buffer/
3) The #1 reason it “still doesn’t work”: subresources
With COEP: require-corp, your page can’t freely embed cross-origin resources anymore.
If you load a cross-origin script/image/worker/video/etc, that resource must opt in via:
- CORS (
Access-Control-Allow-Origin) or - CORP (
Cross-Origin-Resource-Policy)
Official reference:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
4) Copy/paste configs
Nginx
nginx
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Embedder-Policy "require-corp" always;Node / Express
js
app.use((req, res, next) => {
res.setHeader('Cross-Origin-Opener-Policy', 'same-origin')
res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp')
next()
})Cloudflare Pages (_headers)
txt
/*
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp5) Debugging checklist
- Confirm the headers are present on the document response in the Network panel.
- Check
self.crossOriginIsolated. - Look for blocked requests (common DevTools message includes “blocked … by COEP”).
- Remove or self-host any third‑party scripts that don’t support CORS/CORP.