--- id: wiki-2026-0508-sharedarraybuffer-보안-이슈와-cross-o title: SharedArrayBuffer 보안 이슈와 Cross-Origin Isolation category: 10_Wiki/Topics status: verified canonical_id: self aliases: [SAB Security, COOP COEP, Cross-Origin Isolation] duplicate_of: none source_trust_level: A confidence_score: 0.9 verification_status: applied tags: [security, browser, web-platform, spectre] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: javascript framework: web-platform --- # SharedArrayBuffer 보안 이슈와 Cross-Origin Isolation ## 매 한 줄 > **"매 SAB는 high-resolution timer 의 enabling primitive — Spectre 의 mitigation 위해 cross-origin isolation 의 required."**. 2018 Spectre 발표 후 매 brower 의 SAB disable 했고, 매 2020 부터 COOP+COEP+CORP triad 의 required for re-enable. 매 2026 modern WebAssembly threading / multi-threaded JS 의 prerequisite. ## 매 핵심 ### 매 위협 모델 - Spectre v1 (bounds check bypass) 의 transient execution 의 cache side-channel leak. - SAB + `Atomics.wait` 의 nanosecond-precision timer 제공 → cache hit/miss 의 distinguish 가능. - Cross-origin attacker page 의 victim 의 secret data 의 read 가능 (same process). ### 매 mitigation triad - **COOP** `Cross-Origin-Opener-Policy: same-origin` — window 의 cross-origin opener reference 의 cut. - **COEP** `Cross-Origin-Embedder-Policy: require-corp` — sub-resource 의 explicit opt-in 의 require. - **CORP** `Cross-Origin-Resource-Policy: same-origin|same-site|cross-origin` — resource owner 의 embedding policy 결정. ### 매 응용 1. WebAssembly threads (pthread, Rust async runtime). 2. FFmpeg.wasm / video encoding in browser. 3. Multi-threaded ML inference (ONNX.js, transformers.js). 4. Game engines (Unity, Unreal HTML5 export). 5. Excel-grade spreadsheet apps with worker pool. ## 💻 패턴 ### COOP+COEP server headers (Express) ```javascript app.use((req, res, next) => { res.setHeader('Cross-Origin-Opener-Policy', 'same-origin'); res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp'); next(); }); ``` ### crossOriginIsolated check ```javascript if (!self.crossOriginIsolated) { console.error('SAB unavailable — page not isolated'); } else { const sab = new SharedArrayBuffer(1024); const view = new Int32Array(sab); Atomics.store(view, 0, 42); } ``` ### Worker shared state ```javascript const sab = new SharedArrayBuffer(4); const counter = new Int32Array(sab); const worker = new Worker('worker.js'); worker.postMessage(sab); Atomics.add(counter, 0, 1); Atomics.notify(counter, 0); ``` ### CORP for static asset CDN ```nginx location ~* \.(js|wasm|png)$ { add_header Cross-Origin-Resource-Policy "cross-origin"; } ``` ### credentialless COEP (2024+) ```javascript res.setHeader('Cross-Origin-Embedder-Policy', 'credentialless'); // cross-origin no-cors fetch without credentials — no CORP required ``` ### iframe with allow attribute ```html ``` ### Wasm threads init ```javascript import init from './pkg/app.js'; await init(); // requires crossOriginIsolated for SAB-based threads ``` ## 매 결정 기준 | 상황 | Approach | |---|---| | New app + threading needed | COOP same-origin + COEP require-corp | | Legacy 3rd-party embeds | COEP credentialless (2024+) | | Static asset CDN | CORP cross-origin header on all assets | | No SAB needed | Skip isolation — broader compat | **기본값**: `COOP same-origin` + `COEP require-corp` for threaded Wasm; credentialless if 3rd-party embeds. ## 🔗 Graph - 응용: [[Web Worker (웹 워커)|Web-Workers]] - Adjacent: [[CSP]] ## 🤖 LLM 활용 **언제**: SAB 의 use-case (Wasm threads, multi-thread JS) 의 enable 필요. **언제 X**: simple SPA — overhead 의 worth 가 X. ## ❌ 안티패턴 - **CORP omission on CDN**: 매 silently break embedded resources. - **COOP without COEP**: 매 SAB still blocked. - **Naive credentialless adoption**: 매 cookie-based 3rd-party widgets break. ## 🧪 검증 / 중복 - Verified (web.dev coop-coep, MDN SharedArrayBuffer, Chrome blog). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — SAB security, COOP/COEP/CORP triad, Wasm threads enabling |