webassemblysharedarraybuffercross-origin-embedder-policycross-origin-opener-policycross-origin-resource-policy

Is it possible to embed a cross-origin-isolated iframe inside a normal page?


(For some people, this question may equal to "if I can't use sharedArrayBuffer in my main site, can I open an iframe and use sharedArrayBuffer inside the iframe?")

So I want to use some wasm with sharedArrayBuffer in my site, but it's impractical to make the site cross-origin-isolated, so I made another site https://my-wasm-function.app, which is cross-origin-isolated. I hope to use it as an iframe, and communicate with my main site via postMessage.

However, I found once it's embedded as an iframe, it loses the isolation status.

A similar question has been asked in March 2021, and the accepted answer was "No" at the time. However, a more recent google blogpost seems to imply otherwise, so I want to ask again.

The blogpost has some vague instructions about how to isolate an iframe, one is to add the header Cross-Origin-Resource-Policy: cross-origin (on top of COOP and COEP, I think), I tried it, didn't work. Another is to open the iframe like this: <iframe allow="cross-origin-isolated">, I tried it too, didn't work either.


Solution

  • The answer is no. Got confirmation from the author of that blogpost.

    It's not very clear what <iframe allow="cross-origin-isolated"> achieves, maybe it can isolate an iframe without setting headers if the parent is isolated and the iframe's header is not in your control, but it'll definitely not keep the iframe isolated if the parent isn't. The blogpost author says he'll add some clarifications.