Origin-Agent-Cluster
The HTTP Origin-Agent-Cluster response header requests the browser place the document in an origin-keyed agent cluster, dedicating operating system resources to the specific origin.
Usage
Browsers group pages into agent clusters sharing
operating system resources like processes or threads.
By default, this grouping is site-keyed, meaning pages
from different subdomains of the same site (e.g.,
app.example.re and docs.example.re) share the
same agent cluster. The Origin-Agent-Cluster header
switches this behavior to origin-keyed grouping, where
only pages from the exact same origin share
resources.
Origin-keyed agent clusters provide two benefits.
First, resource-intensive pages on one subdomain do not
degrade performance on pages from another subdomain of
the same site. Second, synchronous scripting access
between same-site cross-origin pages is blocked. When
the header is active, document.domain modification is
disabled, and WebAssembly.Module objects are not
transferable to same-site cross-origin pages via
postMessage(). The header is a hint to the browser,
not a guarantee of process isolation, and is not a
security feature. The window.originAgentCluster
property returns true when the browser has honored
the request. This header needs to be sent consistently
on all responses from a given origin for predictable
behavior.
Directives
?1
The ?1 directive is a structured header boolean value
indicating true, requesting origin-keyed agent cluster
assignment.
?0
The ?0 directive explicitly opts out, requesting
site-keyed agent cluster assignment. Chromium-based
browsers changed the default from site-keyed to
origin-keyed, making ?1 the implicit
behavior when no header is sent. Sending ?0 is
needed to re-enable document.domain sharing between
same-site cross-origin pages.
Example
The ?1 value is a structured header boolean meaning
"true", telling the browser to place this page into
its own origin-keyed agent cluster. In practice, this
means a page at app.example.re and a page at
docs.example.re will be placed in separate agent
clusters, even though they share the same parent
domain. Without this header, browsers group pages from
the same site together by default, allowing them to
share processes and access each other through
document.domain.
Origin-Agent-Cluster: ?1
This header is commonly sent alongside other isolation and security headers. Together, they instruct the browser to fully isolate the page from cross-origin documents.
Origin-Agent-Cluster: ?1
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Takeaway
The Origin-Agent-Cluster header requests the browser isolate the document's origin into a dedicated agent cluster, improving performance isolation and preventing synchronous access between same-site cross-origin pages.
See also
- HTML Standard: Origin-keyed agent clusters
- Cross-Origin-Opener-Policy
- Cross-Origin-Embedder-Policy
- Origins
- HTTP headers