What is a SharedArrayBuffer?

SharedArrayBuffer is a JavaScript built-in that holds a fixed-length region of raw memory. Web workers and the main thread share the same bytes, so they can read and write the buffer at the same time without copying.

What is a shared memory buffer?

A shared memory buffer is a single block of memory that more than one thread can read and write. In the browser, SharedArrayBuffer is the only way to expose shared memory to JavaScript, and the Atomics API guards reads and writes.

How do I turn on SharedArrayBuffer?

Serve the page over HTTPS, add Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Embedder-Policy: require-corp response headers, and make sure every cross-origin sub-resource sends a CORP or CORS header. The constructor then becomes available.

What is the difference between SharedArrayBuffer and ArrayBuffer?

ArrayBuffer is owned by one agent. When you postMessage an ArrayBuffer, ownership transfers and the sender loses access. SharedArrayBuffer is shared: every agent that receives it sees the same bytes and can mutate them in parallel.

Why does SharedArrayBuffer require cross-origin isolation?

Shared memory plus a high-resolution clock makes Spectre side-channel attacks practical. Cross-origin isolation puts the document in its own browser process and blocks unconsented third-party content, which contains those attacks within a single trust boundary.

Why am I getting 'SharedArrayBuffer is not defined'?

The page is not cross-origin isolated. Check that the document serves both COOP same-origin and COEP require-corp headers, that the page runs over HTTPS, and that window.crossOriginIsolated is true in the DevTools console.

Does Safari support SharedArrayBuffer?

Yes. Safari on macOS and Safari on iOS support SharedArrayBuffer from version 15.2 onward, but only when the page is cross-origin isolated. Older Safari builds had it disabled by default and threw on the constructor.

Does Node.js support SharedArrayBuffer?

Yes. Node.js exposes SharedArrayBuffer to worker_threads from Node 10.5 on, and the constructor is enabled by default with no header requirement, since Node has no cross-origin attack surface.

Can I use SharedArrayBuffer without COOP and COEP?

Not in any modern browser tab. The constructor is hidden until window.crossOriginIsolated is true, which only happens when both COOP and COEP are set. Node.js and Chrome extensions are the only contexts that skip the headers.

Is SharedArrayBuffer safe to use now?

Yes, on a cross-origin isolated page. The browser routes the document into its own renderer process and blocks unconsented cross-origin content, which neutralizes the Spectre side-channel vector that caused the original disable.

Home
/
Learning Hub
/
SharedArrayBuffer: Browser Support, Isolation, Use Cases

Testing

SharedArrayBuffer: Browser Support, Isolation, Use Cases

SharedArrayBuffer works in Chrome 68+, Edge 79+, Firefox 79+, Safari 15.2+, and Opera 64+ when the page is cross-origin isolated. Learn the setup and limits.

Prince Dewani

May 1, 2026

On This Page

About SharedArrayBuffer
Browser Support
Isolation Setup
Enable SharedArrayBuffer
Use Cases
Known Issues
Citations

SharedArrayBuffer is a JavaScript object defined by ECMAScript that lets workers and the main thread share raw binary memory. It works in Chrome 68+, Edge 79+, Firefox 79+, Safari 15.2+ on macOS and iOS, Opera 64+, and Samsung Internet 15+ when the page is cross-origin isolated, and Internet Explorer never added support.

This guide covers what SharedArrayBuffer is, the browsers that support it, the cross-origin isolation requirements, how to enable it, the use cases, and the known issues.

What is SharedArrayBuffer?

SharedArrayBuffer is a JavaScript built-in defined by the ECMAScript Language Specification at TC39. It exposes a fixed-length chunk of raw memory that web workers and the main thread can read and write at the same time, paired with the Atomics API for race-free updates. Unlike ArrayBuffer, it is not transferable, so every agent that receives it keeps access to the same bytes.

Which browsers does SharedArrayBuffer support?

Every modern desktop and mobile browser supports SharedArrayBuffer on a cross-origin isolated page, while Internet Explorer and the legacy Android Browser never added support. Global browser reach sits around 96% of users on a cross-origin isolated context.

Loading browser compatibility data...

SharedArrayBuffer compatibility in Chrome

Chrome supports SharedArrayBuffer from Chrome 68 on Windows, macOS, Linux, and ChromeOS. From Chrome 92 on desktop and Chrome 88 on Android, the page must serve COOP and COEP headers before the constructor is exposed. Chrome 60 to 67 had SharedArrayBuffer disabled by default after the Spectre disclosure. Chrome 4 to 59 did not support it.

SharedArrayBuffer compatibility in Edge

Microsoft Edge supports SharedArrayBuffer from Edge 79 on Windows, macOS, and Linux, mirroring Chromium behavior. From Edge 92, the page must be cross-origin isolated. Pre-Chromium Edge 16 to 18 had SharedArrayBuffer disabled by default. Edge 12 to 15, and every Internet Explorer build inside Edge IE mode, do not support it.

SharedArrayBuffer compatibility in Firefox

Firefox supports SharedArrayBuffer from Firefox 79 on Windows, macOS, Linux, and Android, and was the first browser to ship the post-Spectre, cross-origin isolated form. The page must serve COOP same-origin and COEP require-corp. Firefox 57 to 78 had SharedArrayBuffer disabled by default behind the javascript.options.shared_memory preference. Firefox 2 to 56 did not support it.

SharedArrayBuffer compatibility in Safari

Safari supports SharedArrayBuffer from Safari 15.2 on macOS and from Safari on iOS 15.2 on iPhone and iPad, with cross-origin isolation required. Safari 10.1 to 15.1 on macOS and Safari on iOS 10.3 to 15.1 had SharedArrayBuffer disabled by default after Spectre. Safari 3.1 to 10 on macOS and Safari on iOS 3.2 to 10.2 did not support it.

SharedArrayBuffer compatibility in Opera

Opera supports SharedArrayBuffer from Opera 64 on Windows, macOS, and Linux, with cross-origin isolation enforced from Opera 78 in line with the matching Chromium release. Opera 47 to 63 had SharedArrayBuffer disabled by default. Opera 9 to 46 did not support it. Opera Mobile supports it from Opera Mobile 80 with the same COOP and COEP rule.

SharedArrayBuffer compatibility in Samsung Internet

Samsung Internet supports SharedArrayBuffer from Samsung Internet 15.0 on Galaxy phones and tablets. Cross-origin isolation is required by default, since Samsung Internet 15.0 tracks Chromium 96. Samsung Internet 4 to 14.0 did not support SharedArrayBuffer in any form.

SharedArrayBuffer compatibility in Android Browser

Chrome for Android supports SharedArrayBuffer from Chrome 88 on cross-origin isolated pages, and Firefox for Android supports it from Firefox 79 under the same COOP and COEP rule. The legacy stock Android Browser, frozen at WebKit-based 4.4, never supported SharedArrayBuffer. Move any code that needs shared memory to a Chromium-based or Gecko-based mobile browser.

SharedArrayBuffer compatibility in Internet Explorer

Internet Explorer does not support SharedArrayBuffer in any version from IE 5.5 through IE 11. Trident, the IE engine, predates the ECMAScript proposal and the post-Spectre process model. Microsoft has retired Internet Explorer for most consumer use, so move shared-memory code to Chromium-based Edge or another modern browser.

Note: SharedArrayBuffer breaks across browsers when COOP and COEP headers are missing or set wrong. Test it on real browsers and OS with TestMu AI. Try TestMu AI free!

What are the cross-origin isolation requirements for SharedArrayBuffer?

Modern browsers expose the SharedArrayBuffer constructor only to documents that are in a secure context and cross-origin isolated. The top-level document opts into isolation with two HTTP response headers, and every cross-origin sub-resource has to opt in or be served from the same origin.

Secure context: The page must load over HTTPS, or from localhost during development. SharedArrayBuffer is gated by the Secure Context check that also gates Service Workers and the Push API.
Cross-Origin-Opener-Policy: same-origin: The COOP header isolates the top-level browsing context from cross-origin pop-ups and openers, so the document gets its own browsing context group.
Cross-Origin-Embedder-Policy: require-corp or credentialless: The COEP header forces every cross-origin sub-resource to opt in with a Cross-Origin-Resource-Policy header, or, with credentialless mode, to load without cookies and credentials.
Cross-Origin-Resource-Policy on sub-resources: Cross-origin images, fonts, scripts, and iframes must send Cross-Origin-Resource-Policy: cross-origin or use a CORS response. Sub-resources that do not opt in are blocked.
window.crossOriginIsolated check: The boolean window.crossOriginIsolated flips to true once the headers are correct. The SharedArrayBuffer constructor is reachable only while this flag is true.
Permissions-Policy: cross-origin-isolated: Cross-origin iframes inherit isolation only when the embedding document grants the cross-origin-isolated permission. The default allowlist of self covers same-origin frames.

How do you enable SharedArrayBuffer in your application?

Enabling SharedArrayBuffer is a server-side configuration job, not a JavaScript flag. Add the cross-origin isolation headers to your origin, fix every cross-origin sub-resource that breaks, and the constructor turns on for the page.

Serve the page over HTTPS: Move the origin to TLS, or use http://localhost during development. Mixed-content pages can never reach the cross-origin isolated state.
Set the COOP header: Add Cross-Origin-Opener-Policy: same-origin to the top-level HTML response. This locks the document into its own browsing context group and blocks cross-origin window.opener access.
Set the COEP header: Add Cross-Origin-Embedder-Policy: require-corp, or Cross-Origin-Embedder-Policy: credentialless if you embed third-party content that cannot send CORP. Both modes opt the document into isolation.
Update sub-resources: For every cross-origin image, script, font, and iframe, either send Cross-Origin-Resource-Policy: cross-origin from the upstream server or load it through CORS. Drop sub-resources that cannot meet either rule.
Verify with crossOriginIsolated: Open DevTools and run the snippet below. If window.crossOriginIsolated is true and the constructor builds a buffer, the page is correctly configured.
Construct and post the buffer: Call new SharedArrayBuffer(byteLength) on the main thread, wrap it in a typed array, and pass it to a Worker through postMessage. Both sides now read and write the same bytes.

// Paste this snippet into the DevTools console of any modern browser.
// It confirms the page is cross-origin isolated and that the constructor is reachable.
if (typeof SharedArrayBuffer !== "undefined" && window.crossOriginIsolated) {
  const buffer = new SharedArrayBuffer(1024);
  const view = new Int32Array(buffer);

  Atomics.store(view, 0, 42);
  console.log("crossOriginIsolated:", window.crossOriginIsolated);
  console.log("Buffer byteLength:", buffer.byteLength);
  console.log("Atomics read:", Atomics.load(view, 0));
} else if (typeof SharedArrayBuffer === "undefined") {
  console.warn("SharedArrayBuffer is not defined. Check COOP and COEP headers.");
} else {
  console.warn("SharedArrayBuffer is defined but the page is not cross-origin isolated.");
}

If the snippet logs that the page is not cross-origin isolated, open the Network panel and inspect the response headers on the document request. A missing COOP or COEP header is the most common reason the constructor stays hidden.

What are the use cases of SharedArrayBuffer?

SharedArrayBuffer matters whenever a web app needs real parallelism with low overhead. The constructor sits behind every shipping use of WebAssembly threads, and it powers the heavy compute paths of well-known apps.

WebAssembly threads: The wasm threads proposal stores the linear memory in a SharedArrayBuffer, which lets every wasm thread read and write the same heap. Photoshop Web, AutoCAD Web, and Google Earth all rely on this path.
FFmpeg in the browser: ffmpeg.wasm uses a SharedArrayBuffer to run encoders and decoders across worker threads. Without cross-origin isolation, it falls back to a single-threaded build that is roughly four times slower.
Game engines: Unity WebGL and Unreal Engine builds spawn worker threads for physics, animation, and asset streaming. The shared heap holds geometry, textures, and entity state without cross-thread copies.
Audio and video pipelines: Apps like Figma, Discord, and Zoom move PCM audio frames and video buffers between an AudioWorklet and worker threads, so a single decode never blocks the main thread.
Atomics for shared data structures: The Atomics API guards reads and writes against tearing. Worker pools use Atomics.wait and Atomics.notify on a SharedArrayBuffer to schedule jobs without postMessage round-trips.
Cryptography and hashing: WebCrypto plus a wasm SIMD build can run hashes, AES, and post-quantum candidates across worker threads, with the input buffer shared instead of cloned.

What are the known issues with SharedArrayBuffer?

SharedArrayBuffer ships in every modern browser, but the cross-origin isolation requirement creates a long list of practical sharp edges. Most teams hit the same set of failures on first integration.

Third-party widgets break: Any cross-origin script or iframe that does not send Cross-Origin-Resource-Policy fails to load on a require-corp page. Stripe, Google Ads, and embedded YouTube all need allow-list work or a credentialless COEP.
Service workers and caching layers: A Service Worker that strips response headers will silently drop COOP and COEP, so window.crossOriginIsolated flips to false on cache hits. Pass the headers through verbatim or set them in the worker.
Static hosts that do not allow custom headers: GitHub Pages, classic Netlify rewrites, and S3-only origins cannot set COOP or COEP. Move to a host that supports response headers or front the origin with a CDN that injects them.
Reverse proxies that drop headers: Some CDNs strip COOP or COEP unless the origin explicitly opts them into the response header allowlist. Add both header names to the CDN configuration before debugging the page.
Chrome for iOS does not isolate: Every iOS browser uses WebKit underneath, so Chrome on iPhone and iPad behaves like Safari. The headers must satisfy WebKit, not Chromium, on iOS.
postMessage without crossOriginIsolated: A page can construct SharedArrayBuffer when isolated but trying to postMessage it to a non-isolated worker still throws a DataCloneError. Both sides have to be isolated.
Spectre still constrains timer precision: Performance.now resolution rises only on cross-origin isolated pages. A non-isolated page sees coarser timestamps, which makes shared-memory timing tests misleading on staging environments.
Atomics.wait blocks the main thread: The constructor allows Atomics.wait on a SharedArrayBuffer view, but calling it on the main thread freezes the page. Always run blocking waits inside a Worker.

In my experience, the silent failure that wastes the most time is a Service Worker that fetches the document from cache and forgets to forward the COOP and COEP headers. The constructor stays hidden, the console gives a vague reference error, and the team blames Spectre instead of the cache. Log window.crossOriginIsolated on the very first line of the page and the bug surfaces immediately.

Citations

All SharedArrayBuffer version numbers and platform notes in this guide come from these primary sources:

MDN Web Docs - SharedArrayBuffer: developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer
MDN Web Docs - Window.crossOriginIsolated: developer.mozilla.org/en-US/docs/Web/API/Window/crossOriginIsolated
MDN Web Docs - Cross-Origin-Opener-Policy: developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
MDN Web Docs - Cross-Origin-Embedder-Policy: developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
MDN Web Docs - Atomics: developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Atomics
ECMAScript Language Specification - SharedArrayBuffer Objects: tc39.es/ecma262/#sec-sharedarraybuffer-objects
WHATWG HTML Standard - Cross-origin isolation: html.spec.whatwg.org/multipage/document-sequences.html#cross-origin-isolated
Chrome for Developers - SharedArrayBuffer updates in Chrome 88 and 92: developer.chrome.com/blog/enabling-shared-array-buffer
WebKit - New WebKit Features in Safari 15.2: webkit.org/blog/12140/new-webkit-features-in-safari-15-2
Mozilla Hacks - Safely reviving shared memory: hacks.mozilla.org/2020/07/safely-reviving-shared-memory
Firefox 79 release notes: developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/79
web.dev - A guide to enable cross-origin isolation: web.dev/articles/cross-origin-isolation-guide
web.dev - Making your website cross-origin isolated: web.dev/articles/coop-coep

Author

Prince Dewani

Blogs: 8

Prince Dewani is a Community Contributor at TestMu AI, where he manages content strategies around software testing, QA, and test automation. He is certified in Selenium, Cypress, Playwright, Appium, Automation Testing, and KaneAI. Prince has also presented academic research at the international conference PBCON-01. He further specializes in on-page SEO, bridging marketing with core testing technologies. On LinkedIn, he is followed by 4,300+ QA engineers, developers, DevOps experts, tech leaders, and AI-focused practitioners in the global testing community.