Hello everyone ,
Using SharedArrayBuffer for enhanced performance requires cross-origin isolating (COI) of the document. Unfortunately, and for security reasons, cross-origin isolating the document alone is not enough. As soon as a document is cross-origin isolated, all of its ancestors and sub-resources/iframes need to become COI as well. This makes it a bit difficult to adopt COI at scale as there are multiple parties involved and not just the developer of the document in question.
To work around the issue of sub-resources/iframes not being COI, there has been some amazing work done on “credentialless iframes” and “COEP: credentialless”.
Having said that, the other side of this issue; namely having to embed a COI iframe inside a document that isn’t COI, does not seem to have similar proposals. This poses a problem for services that want to use SharedArrayBuffer while aiming to provide an embedded product; think the youtube embed widget if it were to become COI!
Would love to hear your thoughts