Blog

SharedArrayBuffer: COOP and COEP headers for cross-origin isolation, and CORS for embedded assets

Cross-origin isolation requires `Cross-Origin-Opener-Policy` and `Cross-Origin-Embedder-Policy`—third-party iframes must cooperate.

Published: 2028-07-20Updated: 2028-07-221 min read

shared-array-buffercorssecurity

Third-party widgets

Payment and chat widgets may break under COEP—test embed contracts early.

Credentialless iframes are an escape hatch with tradeoffs.

pthread workers need isolated memory—align deployment headers across static and API hosts.