performance.measureUserAgentSpecificMemory(), or the JS Self-Profiling API.
Wouldn't it be great if you could assess the impact that enabling cross-origin isolation would have on your site without actually breaking anything? The
Cross-Origin-Embedder-Policy-Report-Only HTTP headers allow you to do just that.
Cross-Origin-Opener-Policy-Report-Only: same-originon your top-level document. As the name indicates, this header only sends reports about the impact that
COOP: same-originwould have on your site—it won't actually disable communication with popup windows.
Cross-Origin-Embedder-Policy-Report-Only: require-corpon your top-level document. Again, this header lets you see the impact of enabling
COEP: require-corpwithout actually affecting your site's functioning yet. You can configure this header to send reports to the same reporting server that you set up in the previous step.
You can also enable the Domain column in Chrome DevTools Network panel to get a general view of which resources would be impacted.
Caution: Enabling cross-origin isolation will block the loading of cross-origin resources that you don't explicitly opt-in, and it will prevent your top-level document from being able to communicate with popup windows.
After you have determined which resources will be affected by cross-origin isolation, here are general guidelines for how you actually opt-in those cross-origin resources:
Cross-Origin-Embedder-Policy-Report-Only: require-corpheader to do an impact analysis.
Cross-Origin-Resource-Policy: cross-originheader. On same-site resources, set
crossoriginattribute in the HTML tag on top-level document if the resource is served with CORS (for example,
<img src="example.jpg" crossorigin>).
Cross-Origin-Embedder-Policy: require-corpheader on the cross-origin resources loaded into iframes.
postMessage(). There's no way to keep them working when cross-origin isolation is enabled. You can move the communication to another document that isn't cross-origin isolated, or use a different communication method (for example, HTTP requests).
After you have mitigated the impact by cross-origin isolation, here are general guidelines to enable cross-origin isolation:
Cross-Origin-Opener-Policy: same-originheader on your top-level document. If you had set
Cross-Origin-Opener-Policy-Report-Only: same-origin, replace it. This blocks communication between your top-level document and its popup windows.
Cross-Origin-Embedder-Policy: require-corpheader on your top-level document. If you had set
Cross-Origin-Embedder-Policy-Report-Only: require-corp, replace it. This will block the loading of cross-origin resources that are not opted-in.
truein console to verify that your page is cross-origin isolated.