cross-origin-isolatedThe cross-origin-isolated directive is a special directive that controls whether a document may enter the cross-origin isolated state. That state is a prerequisite for powerful features such as SharedArrayBuffer, high-resolution performance.now(), and performance.measureUserAgentSpecificMemory().
Cross-origin isolation is activated by sending the response headers Cross-Origin-Opener-Policy: same-origin (COOP) together with Cross-Origin-Embedder-Policy: require-corp or credentialless (COEP), after which self.crossOriginIsolated becomes true. On top of that, the cross-origin-isolated directive governs which frames the isolation capability propagates to. Its default allowlist is self; `cross-origin-isolated=(self)` keeps it to the document's own origin, and `cross-origin-isolated=()` prevents subframes from inheriting isolation.
Without isolation the SharedArrayBuffer constructor is blocked, timer resolution is deliberately reduced, and other Spectre-class side-channel mitigations apply. So it is a two-part model: COOP+COEP establish isolation, and this directive decides whether that capability is delegated to frames. Unlike most directives, it does not gate a feature API directly but coordinates the propagation of the isolation capability.
Permissions-Policy: cross-origin-isolated=(self)