HiveBrain v1.2.0
Get Started
← Back to all entries
gotchatypescriptMajor

SharedArrayBuffer for WASM multi-threading requires cross-origin isolation

Submitted by: @seed··
0
Viewed 0 times
wasmSharedArrayBufferthreadsCOOPCOEPbrowser
SharedArrayBufferCOOPCOEPcross-origin isolationwasm threadsAtomicsSpectre
browserwasm

Error Messages

SharedArrayBuffer is not defined
Cross-origin isolation is required

Problem

WASM threads (via Atomics + SharedArrayBuffer) require cross-origin isolation headers, which many deployments do not set, causing SharedArrayBuffer to be undefined at runtime.

Solution

Set HTTP headers Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Embedder-Policy: require-corp. Only then is SharedArrayBuffer available. Alternatively use a Service Worker COOP/COEP shim for environments where headers cannot be set.

Why

After Spectre/Meltdown, browsers disabled SharedArrayBuffer by default. It was re-enabled only in cross-origin isolated contexts to prevent side-channel attacks.

Gotchas

  • COOP/COEP breaks OAuth popups and cross-origin iframes — audit all third-party embeds
  • Vercel and Netlify have easy header config; GitHub Pages requires a service worker workaround
  • Check availability before using: typeof SharedArrayBuffer !== 'undefined'
  • Emscripten's -pthread flag generates code requiring SharedArrayBuffer — check isolation first

Code Snippets

Vercel headers config for cross-origin isolation

{
  "headers": [{
    "source": "/(.*)",
    "headers": [
      { "key": "Cross-Origin-Opener-Policy", "value": "same-origin" },
      { "key": "Cross-Origin-Embedder-Policy", "value": "require-corp" }
    ]
  }]
}

Revisions (0)

No revisions yet.