Build the trio of headers that govern cross-origin behavior — Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy — and see exactly which combination unlocks SharedArrayBuffer, high-resolution performance.now(), and full cross-origin isolation.
A page is cross-origin isolated — the gate for SharedArrayBuffer, performance.measureUserAgentSpecificMemory(), high-resolution timers, and JS Self-Profiling — only when self.crossOriginIsolated === true. Browsers grant that flag when the document is served with COOP: same-origin and COEP: require-corp (or credentialless). Every cross-origin subresource then needs either a CORP header that allows you, or (for image, script, etc.) a CORS response. credentialless is friendlier: it strips cookies from cross-origin no-cors requests instead of requiring CORP, but downgrades isolation slightly.
COOP isolates the browsing-context group from cross-origin openers (mitigates Spectre + cross-window attacks). COEP blocks loading cross-origin subresources without an explicit opt-in. CORP goes on subresources you serve to declare who's allowed to embed them — setting cross-origin on a CDN means anyone may embed; same-site only allows same-eTLD+1 embedders.