fix: enable cross-origin isolation

Author: nolanlawson

src/cross-origin-isolation.ts

@@ -0,0 +1,12 @@
+import { Middleware } from 'koa';
+
+// Enable cross-origin isolation for more precise timers:
+// https://developer.chrome.com/blog/cross-origin-isolated-hr-timers/
+export function crossOriginIsolation(): Middleware {
+    // Based on https://github.com/fishel-feng/koa-isolated
+    return async function isolated(ctx, next) {
+        ctx.set('Cross-Origin-Opener-Policy', 'same-origin');
+        ctx.set('Cross-Origin-Embedder-Policy', 'require-corp');
+        await next();
+    };
+}

src/server.ts

@@ -19,6 +19,7 @@ import {nodeResolve} from 'koa-node-resolve';
 
 import {BenchmarkResponse, Deferred} from './types';
 import {NpmInstall} from './versions';
+import {crossOriginIsolation} from "./cross-origin-isolation";
 
 export interface ServerOpts {
   host: string;
@@ -88,6 +89,7 @@ export class Server {
     this.server = server;
     const app = new Koa();
 
+    app.use(crossOriginIsolation());
     app.use(bodyParser());
     app.use(mount('/submitResults', this.submitResults.bind(this)));
     app.use(this.instrumentRequests.bind(this));

src/test/server_test.ts

@@ -135,4 +135,11 @@ suite('server', () => {
     session = server.endSession();
     assert.equal(session.bytesSent, 0);
   });
+
+  test('enables cross-origin isolation', async () => {
+    const res = await fetch(`${server.url}/import-bare-module.html`);
+
+    assert.equal(res.headers.get('Cross-Origin-Opener-Policy'), 'same-origin');
+    assert.equal(res.headers.get('Cross-Origin-Embedder-Policy'), 'require-corp');
+  });
 });