Security + Performance

Unlock Powerful Browser Features Without Breaking Production

Cross-origin isolation enables SharedArrayBuffer and high-precision timers — but deploying COOP and COEP can break OAuth popups and payment gateways. Report-Only mode lets you test safely before enforcement.

Start Free Trial Read Documentation

The Problem

Powerful Features Locked Behind Security Walls

In 2018, the Spectre vulnerability changed everything. Researchers demonstrated that malicious JavaScript could exploit CPU timing to read data from other browser tabs — including passwords and session tokens. Browsers responded by disabling SharedArrayBuffer and reducing timer precision across the web.

For most sites, this was invisible. But for high-performance applications — WebAssembly games, browser-based video editors, data visualization tools, and crypto wallets — it was devastating. Multi-threading disappeared. Complex computations that once ran smoothly now stuttered or failed entirely.

Google's own Squoosh image optimization app needed WebAssembly threads to compress images efficiently. Without SharedArrayBuffer, it couldn't deliver the performance users expected on mobile devices.

Browsers created a path forward: cross-origin isolation. Sites that opt into strict security policies can re-enable these powerful features. But the policies come with a cost — and without visibility, that cost can break your production site.

The Solution

Cross-Origin Isolation: Security That Enables Power

Cross-origin isolation is achieved through two HTTP headers working together: Cross-Origin Opener Policy (COOP) and Cross-Origin Embedder Policy (COEP).

COOP isolates your browsing context from cross-origin popups and openers. When set to same-origin, your site runs in its own process group — protected from Spectre-style attacks that exploit shared memory.

COEP ensures that every cross-origin resource your site loads has explicitly opted in via CORS or Cross-Origin-Resource-Policy headers. This prevents attackers from using your site to probe cross-origin data.

Together, COOP and COEP enable cross-origin isolation — a secure state that unlocks SharedArrayBuffer, high-precision timers (5 microseconds vs 100 microseconds), and the performance.measureUserAgentSpecificMemory() API.

Browser support is excellent: 91.9% for COOP and 92.36% for COEP. Chrome 83+, Firefox 79+, Safari 15.2+, and Edge 83+ all support cross-origin isolation. Configuration is pure HTTP headers — no JavaScript SDK or build process changes required.

The Challenge

But Isolation Breaks Critical Integrations

Here's the painful truth: Cross-Origin-Opener-Policy: same-origin severs the connection between your site and any popup it opens. The popup can't communicate back. Your opener reference becomes null.

This breaks OAuth authentication flows. When users log in with Google, GitHub, or any provider that uses popups, the popup completes authentication but can't send the token back to your app. Users click "Sign in" and nothing happens.

It breaks payment gateways. Stripe, PayPal, and others use popups or iframes to handle sensitive payment data. With COOP enabled, those integrations silently fail. Customers try to pay and can't.

Third-party resources without proper headers are blocked entirely by COEP. Your analytics, your ads, your embedded widgets — anything that doesn't respond with the right Cross-Origin-Resource-Policy header simply won't load.

"Deploy and pray" isn't viable for production sites. You need to know exactly what will break before you flip the switch. You need visibility into which integrations are incompatible, which resources are missing headers, and which popups will lose communication.

The Answer

The Reporting API Makes COOP/COEP Violations Visible

We collect violation reports and route them to your existing tools for analysis.

Surface Silent Failures: COOP/COEP violations don't throw JavaScript errors. OAuth popups and payment flows quietly break with no stack trace, no console error. We make the invisible visible by collecting and surfacing every violation report.
See What Will Break: Collect violation reports before enforcement. Identify exactly which OAuth popups, payment gateways, and third-party resources are incompatible while you can still fix them.
Route to Your Stack: Send COOP and COEP reports to AppSignal, webhooks, or Google Chat. Integrate with your existing alerting and monitoring tools. Act on violations where you already manage incidents.
No Custom Infrastructure: We receive, parse, and forward reports. No endpoint to build, no parsing logic to maintain, no retry handling to implement. Configure your Reporting-Endpoints header and you're done.

Ready to Deploy Cross-Origin Isolation Safely?

Test COOP and COEP policies against real traffic. Identify breaking integrations before they break your users' experience.

Start Free Trial View Documentation