2nd/10_Wiki/Topics/Architecture/SharedArrayBuffer_보안_이슈와_Cross-Origin_Isolation.md

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

id	title	category	status	canonical_id	aliases	duplicate_of	source_trust_level	confidence_score	verification_status	tags	raw_sources	last_reinforced	github_commit	tech_stack
wiki-2026-0508-sharedarraybuffer-보안-이슈와-cross-o	SharedArrayBuffer 보안 이슈와 Cross-Origin Isolation	10_Wiki/Topics	verified	self	SAB Security COOP COEP Cross-Origin Isolation	none	A	0.9	applied	security browser web-platform spectre		2026-05-10	pending	language framework javascript web-platform

SharedArrayBuffer 보안 이슈와 Cross-Origin Isolation

매 한 줄

"매 SAB는 high-resolution timer 의 enabling primitive — Spectre 의 mitigation 위해 cross-origin isolation 의 required.". 2018 Spectre 발표 후 매 brower 의 SAB disable 했고, 매 2020 부터 COOP+COEP+CORP triad 의 required for re-enable. 매 2026 modern WebAssembly threading / multi-threaded JS 의 prerequisite.

매 핵심

매 위협 모델

• Spectre v1 (bounds check bypass) 의 transient execution 의 cache side-channel leak.
• SAB + Atomics.wait 의 nanosecond-precision timer 제공 → cache hit/miss 의 distinguish 가능.
• Cross-origin attacker page 의 victim 의 secret data 의 read 가능 (same process).

매 mitigation triad

• COOP Cross-Origin-Opener-Policy: same-origin — window 의 cross-origin opener reference 의 cut.
• COEP Cross-Origin-Embedder-Policy: require-corp — sub-resource 의 explicit opt-in 의 require.
• CORP Cross-Origin-Resource-Policy: same-origin|same-site|cross-origin — resource owner 의 embedding policy 결정.

매 응용

1. WebAssembly threads (pthread, Rust async runtime).
2. FFmpeg.wasm / video encoding in browser.
3. Multi-threaded ML inference (ONNX.js, transformers.js).
4. Game engines (Unity, Unreal HTML5 export).
5. Excel-grade spreadsheet apps with worker pool.

💻 패턴

COOP+COEP server headers (Express)

app.use((req, res, next) => {
  res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
  res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp');
  next();
});

crossOriginIsolated check

if (!self.crossOriginIsolated) {
  console.error('SAB unavailable — page not isolated');
} else {
  const sab = new SharedArrayBuffer(1024);
  const view = new Int32Array(sab);
  Atomics.store(view, 0, 42);
}

Worker shared state

const sab = new SharedArrayBuffer(4);
const counter = new Int32Array(sab);
const worker = new Worker('worker.js');
worker.postMessage(sab);
Atomics.add(counter, 0, 1);
Atomics.notify(counter, 0);

CORP for static asset CDN

location ~* \.(js|wasm|png)$ {
  add_header Cross-Origin-Resource-Policy "cross-origin";
}

credentialless COEP (2024+)

res.setHeader('Cross-Origin-Embedder-Policy', 'credentialless');
// cross-origin no-cors fetch without credentials — no CORP required

iframe with allow attribute

<iframe src="https://embed.example.com"
        allow="cross-origin-isolated"></iframe>

Wasm threads init

import init from './pkg/app.js';
await init();  // requires crossOriginIsolated for SAB-based threads

매 결정 기준

상황	Approach
New app + threading needed	COOP same-origin + COEP require-corp
Legacy 3rd-party embeds	COEP credentialless (2024+)
Static asset CDN	CORP cross-origin header on all assets
No SAB needed	Skip isolation — broader compat

기본값: COOP same-origin + COEP require-corp for threaded Wasm; credentialless if 3rd-party embeds.

🔗 Graph

• 응용: Web Worker (웹 워커)
• Adjacent: CSP

🤖 LLM 활용

언제: SAB 의 use-case (Wasm threads, multi-thread JS) 의 enable 필요. 언제 X: simple SPA — overhead 의 worth 가 X.

❌ 안티패턴

• CORP omission on CDN: 매 silently break embedded resources.
• COOP without COEP: 매 SAB still blocked.
• Naive credentialless adoption: 매 cookie-based 3rd-party widgets break.

🧪 검증 / 중복

• Verified (web.dev coop-coep, MDN SharedArrayBuffer, Chrome blog).
• 신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — SAB security, COOP/COEP/CORP triad, Wasm threads enabling