Why do I need crossOriginIsolated to be true if I have SharedArrayBuffer via an origin trial?

[DustinBrett]

Describe the bug

I desire to use WebContainers in my app for Chrome users. I have signed up for Trial for SharedArrayBuffers in non-isolated pages on Desktop platforms which is an origin trial that allows SharedArrayBuffers to exist without the page being cross-origin isolated.

My question/request is, can we avoid checks for crossOriginIsolated == true if what matters is the existence of the SharedArrayBuffer function?

I have no link because this is domain specific and not hosted as it doesn't work.

Link to the blitz that caused the error

N/A

Steps to reproduce

1. Add the origin trial to your website
2. See SharedArrayBuffer exists
3. Try and load WebContainers and be told you need crossOriginIsolated for SharedArrayBuffer to work

Expected behavior

That it allows SharedArrayBuffer existing to be enough to continue, regardless of the state of crossOriginIsolated.

Parity with Local

• [X] I have run the project in my local machine and I could not reproduce the issue.

Screenshots

No response

Platform

• OS: All Platforms
• Browser: Chrome
• Version: 92+

Additional context

No response

[SamVerschueren]

Is there a specific reason why you don't want to add the 2 headers to make your website/app cross-origin isolated?

[DustinBrett]

Is there a specific reason why you don't want to add the 2 headers to make your website/app cross-origin isolated?

Yes I have several apps on my site which use iframes to function. If I added those headers then these other apps would cease to function.

There are anonymous/credentialless iframes (https://developer.chrome.com/blog/anonymous-iframe-origin-trial/#challenges-with-enabling-coep), but this is also not supported outside Chrome.

Is there a reason that WebContainers checks for crossOriginIsolated beyond the idea that it's required for SharedArrayBuffers?

[Nemikolh]

Hey @DustinBrett !

Is there a reason that WebContainers checks for crossOriginIsolated beyond the idea that it's required for SharedArrayBuffers?

I'm not entirely sure, we might be able to simplify the check.

In the meantime, let's see what are your other options.

In your initial post you said:

I desire to use WebContainers in my app for Chrome users.

And in your latest comment you talk about usage outside of Chrome:

There are anonymous/credentialless iframes but this is also not supported outside Chrome.

So I presume that you would use WebContainers only for Chrome users and not use WebContainer for other users but you would still want your iframes to work, correct?

If yes, before serving the COEP/COOP headers you could detect whether or not the browser is chrome and based on that serve the content with those headers or not. You would also use your anonymous iframes only if it's chrome.

Now with this approach, regardless of the origin trials expiring, you could use WebContainers now.

[DustinBrett]

Hey @DustinBrett !

Is there a reason that WebContainers checks for crossOriginIsolated beyond the idea that it's required for SharedArrayBuffers?

I'm not entirely sure, we might be able to simplify the check.

In the meantime, let's see what are your other options.

In your initial post you said:

I desire to use WebContainers in my app for Chrome users.

And in your latest comment you talk about usage outside of Chrome:

There are anonymous/credentialless iframes but this is also not supported outside Chrome.

So I presume that you would use WebContainers only for Chrome users and not use WebContainer for other users but you would still want your iframes to work, correct?

If yes, before serving the COEP/COOP headers you could detect whether or not the browser is chrome and based on that serve the content with those headers or not. You would also use your anonymous iframes only if it's chrome.

Now with this approach, regardless of the origin trials expiring, you could use WebContainers now.

Hi @Nemikolh,

Thanks for the response. One issue I have with dynamically adding headers is that my app is entirely client side and runs directly via nginix/CloudFlare CDN. I likely could add something in between via CloudFlare Workers or something, but the use of WebContainers will not be a primary use case within my site so I don't desire any overhead before the user decides they want WebContainers.

I was excited about the SharedArrayBuffer origin trial, thinking this could at least get me until March 7, 2024 (end of origin trial - unless extended), at which point ideally I would like to support Firefox/Safari also if they've gone onboard with credentialless in some way.

If no other alternative can be found then indeed I can consider dynamic headers, but I also may wait if that is the case.

I appreciate you considering my question either way.

[Nemikolh]

Ah I see, makes lots of sense :+1:

I'll add a ticket to our internal issue tracker so we can investigate this in a bit more details. It's possible that our check is a bit too restrictive.

[Nemikolh]

Hey @DustinBrett!

I was curious if you had tried providing coep: 'none' to WebContainer.boot?

This should serve the iframe without the COEP/COOP headers and might unblock you. If it does not, then what error do you get?

[DustinBrett]

Hey @DustinBrett!

I was curious if you had tried providing coep: 'none' to WebContainer.boot?

This should serve the iframe without the COEP/COOP headers and might unblock you. If it does not, then what error do you get?

That looks like exactly what I need. I guess I missed this last time I tried it. Thanks for mentioning it! I will try it and comment with any updates.

[d3lm]

Any update @DustinBrett? Is coep: 'none' what you were looking for and is it working for you?

[DustinBrett]

Any update @DustinBrett? Is coep: 'none' what you were looking for and is it working for you?

Sorry I haven't had time to recreate this but likely it would help as the docs describe what I wanted. As soon as I have time I can update this or if there is a desire to close it then it could be closed as a possible solution and I can reopen it if it doesn't work out.

[d3lm]

Sounds good. I am going to close it for now but feel free to open a new issue and maybe reference this one then. Thanks @DustinBrett 🙏