Free Tool

Free Cross-Origin Isolation Checker

Check whether a page is cross-origin isolated by testing its COOP and COEP headers together. Required for SharedArrayBuffer and precise timers.

Free and instant. No account or signup needed.

What cross-origin isolation means

Cross-origin isolation is a browser state that places a document in its own process and walls it off from other origins unless they explicitly opt in. When a page is isolated the browser unlocks features that were switched off across the web after the Spectre attacks, including SharedArrayBuffer and high resolution timers. Without isolation those features stay disabled, because a shared memory buffer paired with a precise clock is exactly what a Spectre style side channel needs to read memory it should never see.

Spectre made this necessary. The vulnerability let code measure tiny timing differences to infer data from other contexts in the same process, so browsers removed the precise timing primitives from ordinary pages. To earn them back a page has to prove it is sealed off from cross-origin content, and that proof is the exact combination of two response headers this checker tests.

The exact COOP and COEP combination

A page becomes isolated when it returns Cross-Origin-Opener-Policy set to same-origin and Cross-Origin-Embedder-Policy set to require-corp, or the newer credentialless value. COOP cuts the link to any window that opened the page or that the page opened, so other documents cannot reach into it. COEP forces every subresource to opt in, either with its own Cross-Origin-Resource-Policy header or through a successful CORS check. Either header on its own does nothing for isolation. The browser only flips the switch when both arrive together.

How to verify crossOriginIsolated

You can confirm the result yourself in seconds. Load the page, open the developer console, and type crossOriginIsolated. A value of true means the page is isolated and the gated features are available, while false means a header is missing or a subresource is blocking the state. For the full background on each header, the trade offs, and how to roll isolation out without breaking embedded content, read the cross-origin isolation guide.

Frequently asked questions

What is a cross-origin isolation checker?

A cross-origin isolation checker reads the Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy headers a page returns and tells you whether the page would report crossOriginIsolated as true. SiteSecurityScore checks this live by scanning the URL you enter.

What is cross-origin isolation?

Cross-origin isolation is a browser state that puts a document in its own process and cuts off cross-origin resources unless they opt in. A page becomes isolated when it sends Cross-Origin-Opener-Policy: same-origin together with Cross-Origin-Embedder-Policy: require-corp or credentialless. Only isolated pages can use SharedArrayBuffer and high resolution timers.

Why do I need both COOP and COEP?

Each header closes a different leak path. COOP severs the connection to other windows that opened or were opened by the page, and COEP forces every loaded resource to opt in. Neither alone is enough. The browser only flips crossOriginIsolated to true when both are present, which is why this checker tests them together.

How do I confirm crossOriginIsolated in the browser?

Open the page, open the developer console, and type crossOriginIsolated. A return value of true means the page is isolated and the powerful features are available. False means one of the headers is missing or a subresource is blocking isolation.

Does this checker scan a live site?

Yes. Enter a URL and SiteSecurityScore fetches the live response, reads the COOP, COEP, and CORP headers, and reports what it found in seconds. No account or signup is required.

Related tools

COOP CheckerCOEP CheckerCross-Origin Isolation guide

Check every layer in one scan

This checker covers one piece. Run a full SiteSecurityScore scan for your security headers, CSP, TLS, DNS, and cookies with a letter grade and copy and paste fixes. No account required.

Run a full scan