4

(For some people, this question may equal to "if I can't use sharedArrayBuffer in my main site, can I open an iframe and use sharedArrayBuffer inside the iframe?")

So I want to use some wasm with sharedArrayBuffer in my site, but it's impractical to make the site cross-origin-isolated, so I made another site https://my-wasm-function.app, which is cross-origin-isolated. I hope to use it as an iframe, and communicate with my main site via postMessage.

However, I found once it's embedded as an iframe, it loses the isolation status.

A similar question has been asked in March 2021, and the accepted answer was "No" at the time. However, a more recent google blogpost seems to imply otherwise, so I want to ask again.

The blogpost has some vague instructions about how to isolate an iframe, one is to add the header Cross-Origin-Resource-Policy: cross-origin (on top of COOP and COEP, I think), I tried it, didn't work. Another is to open the iframe like this: <iframe allow="cross-origin-isolated">, I tried it too, didn't work either.

ZYinMD
  • 3,602
  • 1
  • 23
  • 32
  • "some changes have been made since then" what changes exactly? If things really did change, why would one answer here rather than there? You can put a bounty on the question there to try to have an update, but really, I doubt this will ever change. (One "change" that may come soon is the ability to postMessage to the workaround's popup.) – Kaiido Sep 25 '21 at 03:30
  • Regarding your edit, that still doesn't make your answer specific enough to my eyes to not be a duplicate of the other Q/A. Regarding the blog post you linked to, you do realize its author is also [the author](https://stackoverflow.com/users/323935/agektmr) of the answer there? Have you considered simply writing a comment under their answer to ask them for clarifications? – Kaiido Sep 25 '21 at 08:51
  • Does this answer your question? [How to make my site compatible with the upcoming Cross-Origin-Isolation changes for SharedArrayBuffer](https://stackoverflow.com/questions/66804122/how-to-make-my-site-compatible-with-the-upcoming-cross-origin-isolation-changes) – Kaiido Sep 25 '21 at 08:51
  • Hi @Kaiido, I didn't notice the author is the same person! That's crazy, I'll make a comment to ask him to clarify the instructions in the blogpost. Meanwhile, the other question is poorly titled, the title asks X and the body asks Y, and the title doesn't mention iframes at all. To help future searchers, I'll leave this question open for now, and answer it myself after I get a confirmed answer. – ZYinMD Sep 25 '21 at 19:11
  • No that's not how stackoverflow works. To better help future readers, it's important that every answers are accessible in the same spot, where their merit can be measured correctly. Please edit the question there if you think it's not of good quality. – Kaiido Sep 25 '21 at 23:16

2 Answers2

4

In other words, if I can't use sharedArrayBuffer in my main site, can I open an iframe and use sharedArrayBuffer inside the iframe?

No. The parent can't convey to iframe a capability is doesn't have.

cross-origin-isolated is a capability. It enables several features, like:

  • Sharing a SharedArrayBuffer in between two workers.
  • High definition timers.
  • etc

As of March 2022: You get the capability when the top-level document uses COOP:same-origin and COEP:require-corp or COOP:credentialless. For iframe, the parent must also "convey" the capability downward using "allow='cross-origin-isolated'".

ArthurS
  • 350
  • 3
  • 5
3

The answer is no. Got confirmation from the author of that blogpost.

It's not very clear what <iframe allow="cross-origin-isolated"> achieves, maybe it can isolate an iframe without setting headers if the parent is isolated and the iframe's header is not in your control, but it'll definitely not keep the iframe isolated if the parent isn't. The blogpost author says he'll add some clarifications.

ZYinMD
  • 3,602
  • 1
  • 23
  • 32