Origin Isolation and Spectre Mitigations
Origin Isolation and Spectre Mitigations
Implementing Cross-Origin Isolation
class CrossOriginIsolation {
constructor(options = {}) {
this.enableSharedArrayBuffer = options.enableSharedArrayBuffer || false;
this.reportingEndpoint = options.reportingEndpoint || '/isolation-reports';
}
middleware() {
return (req, res, next) => {
if (this.enableSharedArrayBuffer) {
// Headers required for SharedArrayBuffer
res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp');
}
// Report-only mode for testing
if (process.env.ISOLATION_REPORT_ONLY === 'true') {
res.setHeader('Cross-Origin-Opener-Policy-Report-Only', 'same-origin');
res.setHeader('Cross-Origin-Embedder-Policy-Report-Only', 'require-corp');
res.setHeader('Report-To', JSON.stringify({
group: 'isolation',
max_age: 86400,
endpoints: [{ url: this.reportingEndpoint }]
}));
}
// Add Origin-Agent-Cluster for additional isolation
res.setHeader('Origin-Agent-Cluster', '?1');
next();
};
}
// Helper to check if isolation is working
checkIsolation() {
return `
<script>
if (window.crossOriginIsolated) {
console.log('✓ Cross-origin isolated');
// Test SharedArrayBuffer
try {
const sab = new SharedArrayBuffer(1);
console.log('✓ SharedArrayBuffer available');
} catch (e) {
console.error('✗ SharedArrayBuffer not available:', e);
}
} else {
console.warn('✗ Not cross-origin isolated');
console.log('COOP:', document.featurePolicy?.getAllowlistForFeature('cross-origin-isolated'));
}
</script>
`;
}
}