Embedding a cross-origin isolated iframe in a document that isn't

Hello everyone :wave:t2:,

Using SharedArrayBuffer for enhanced performance requires cross-origin isolating (COI) of the document. Unfortunately, and for security reasons, cross-origin isolating the document alone is not enough. As soon as a document is cross-origin isolated, all of its ancestors and sub-resources/iframes need to become COI as well. This makes it a bit difficult to adopt COI at scale as there are multiple parties involved and not just the developer of the document in question.

To work around the issue of sub-resources/iframes not being COI, there has been some amazing work done on “credentialless iframes” and “COEP: credentialless”.

Having said that, the other side of this issue; namely having to embed a COI iframe inside a document that isn’t COI, does not seem to have similar proposals. This poses a problem for services that want to use SharedArrayBuffer while aiming to provide an embedded product; think the youtube embed widget if it were to become COI!

Would love to hear your thoughts :slightly_smiling_face: