Origin-Agent-Cluster

Origin-keyed isolation for browser documents is requested through the Origin-Agent-Cluster response header, which places the document in an agent cluster keyed to the specific origin rather than to the whole site.

Usage

Browsers group pages into agent clusters sharing operating system resources like processes or threads. The platform baseline for this grouping is site-keyed, meaning pages from different subdomains of the same site (e.g., app.example.re and docs.example.re) share the same agent cluster. Chromium-based browsers now default to origin-keyed grouping, where only pages from the exact same origin share resources. The Origin-Agent-Cluster header makes the origin-keyed request explicit with ?1, or opts back into site-keyed grouping with ?0.

Origin-keyed agent clusters provide two benefits. First, a resource-intensive page on one subdomain is less likely to affect performance on pages from another subdomain of the same site. Second, synchronous scripting access between same-site cross-origin pages is blocked. When the header is active, document.domain modification is disabled, and WebAssembly.Module objects are not transferable to same-site cross-origin pages via postMessage(). The header is a hint to the browser, not a guarantee of process isolation, and is not a security feature. The window.originAgentCluster property returns true when the browser has honored the request. This header needs to be sent consistently on all responses from a given origin for predictable behavior.

Directives

?1

The ?1 directive is a Structured Fields boolean value indicating true, requesting origin-keyed agent cluster assignment.

?0

The ?0 directive explicitly opts out, requesting site-keyed agent cluster assignment. Chromium-based browsers changed the default from site-keyed to origin-keyed, making ?1 the implicit behavior when no header is sent. Sending ?0 is needed to re-enable document.domain sharing between same-site cross-origin pages.

Example

The ?1 value is a structured header boolean meaning "true", telling the browser to place this page into its own origin-keyed agent cluster. In practice, this means a page at app.example.re and a page at docs.example.re will be placed in separate agent clusters, even though they share the same parent domain. Chromium-based browsers default to origin-keyed agent clusters. Sending ?1 explicitly opts into this behavior on all supporting browsers and prevents same-site cross-origin access through document.domain.

Origin-Agent-Cluster: ?1

This header is commonly sent alongside other isolation and security headers. Together, they instruct the browser to fully isolate the page from cross-origin documents.

Origin-Agent-Cluster: ?1
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp

See also

• HTML Standard: Origin-keyed agent clusters
• Cross-Origin-Opener-Policy
• Cross-Origin-Embedder-Policy
• Structured Fields
• Origins
• HTTP headers