Published: May 1, 2025
From Chrome 137 Document Isolation Policy is a new feature that makes
crossOriginIsolation
adoption easier. Unlike COEP
(Cross-Origin-Embedder-Policy),
Document Isolation Policy applies per frame and makes no requirements of
subframes. By enabling crossOriginIsolation, Document Isolation Policy unlocks
access to powerful web functionalities like
SharedArrayBuffers
or WebAssembly threads.
What is cross-origin isolation?
Cross-origin isolation draws a firm boundary around a document and its same-origin relatives within the browser's process. It prevents the document from being grouped and potentially sharing resources or information with documents from different origins. Cross-origin isolation achieves this by ensuring the origin can be loaded in its own process, regardless of the status of the underlying browser engine's support for site isolation or cross-origin isolation by default. This helps protect against speculative execution attacks, such as Spectre.
What is Document Isolation Policy?
Document Isolation Policy provides a more straightforward way to implement crossOriginIsolation, when compared to COOP (Cross-Origin-Opener-Policy) and COEP (Cross-Origin-Embedder-Policy). It allows for isolation on a per-frame basis, eliminating the need for embedded iframes to support COEP.
How Document Isolation Policy works
Document Isolation Policy lets you isolate specific frames within their web applications. By sending a Document-Isolation-Policy header with your document, the document gains access to powerful features like SharedArrayBuffers, which are otherwise restricted due to security concerns. Unlike COOP and COEP, Document Isolation Policy doesn't impose restrictions on pages with which the document can communicate or on child frames it can embed. Documents with Document Isolation Policy can open cross-origin popups and communicate with them. They can also embed any iframe normally.
Document Isolation Policy, similar to
COEP,
has two modes: isolate-and-require-corp and isolate-and-credentialless.
These modes govern how cross-origin subresources loaded without Cross-Origin
Resource Sharing
(CORS) are handled. In isolate-and-require-corp mode, cross-origin resources
must explicitly declare their cross-origin resource policy using the
Cross-Origin-Resource-Policy
header; if not, they are blocked. This ensures that resources are intentionally
shared. Conversely, isolate-and-credentialless mode allows cross-origin
resources to be loaded without
CORS headers
but strips any credentials (like cookies or HTTP authentication) from the
request, effectively treating the resource as if it were anonymous. This mode
provides a less restrictive but still secure way to handle non-CORS resources.
Iframes isolated with Document Isolation Policy don't have synchronous DOM access to same-origin iframes that are not isolated. However, these isolated iframes can still communicate with non-isolated frames using cross-origin Window methods like postMessage. Additionally, they retain full access to storage APIs, allowing for data persistence and sharing within the same origin, even with isolation enabled.