A document becomes cross-origin isolated only when it is served with
both COOP: same-origin and a credential-restricting
COEP (require-corp or credentialless). Isolation is what
re-unlocks the powerful APIs that browsers disabled after Spectre. Pick headers and watch the gate.
Live readout of self.crossOriginIsolated in the page you're viewing — it is almost certainly false here, which is exactly the point.
Turning on COEP is not free: every cross-origin subresource must now opt in
to being embedded, or it gets blocked. The opt-in is the resource's
Cross-Origin-Resource-Policy (CORP) header — or a successful CORS handshake.
Configure a resource and see whether your page (with the COEP above) can load it.
In 2018 the Spectre CPU side-channel showed that a high-resolution timer plus shared memory lets one origin infer bytes from another sharing the same process. Browsers reacted by neutering the dangerous primitives for everyone:
SharedArrayBuffer — removed/gatedperformance.now() — coarsened to ~100µsAtomics.wait, JS self-profiling, precise GPU timing — gated
Cross-origin isolation is the deal you strike to get them back: "I promise nothing untrusted
and credentialed shares my process — so the timer can't leak anyone's secrets." COOP severs
cross-origin window relationships; COEP guarantees every embedded byte opted in. Only then does the
browser flip crossOriginIsolated = true and hand back the sharp tools.