fix: enable cross-origin isolation

src/cross-origin-isolation.ts

@@ -0,0 +1,12 @@
+import {Middleware} from 'koa';
+
+// Enable cross-origin isolation for more precise timers:
+// https://developer.chrome.com/blog/cross-origin-isolated-hr-timers/
+export function crossOriginIsolation(): Middleware {
+  // Based on https://github.com/fishel-feng/koa-isolated
+  return async function isolated(ctx, next) {
+    ctx.set('Cross-Origin-Opener-Policy', 'same-origin');
+    ctx.set('Cross-Origin-Embedder-Policy', 'require-corp');
+    await next();
+  };
+}

src/server.ts

@@ -19,6 +19,7 @@ import {nodeResolve} from 'koa-node-resolve';
 
 import {BenchmarkResponse, Deferred} from './types';
 import {NpmInstall} from './versions';
+import {crossOriginIsolation} from './cross-origin-isolation';
 
 export interface ServerOpts {
   host: string;
@@ -88,6 +89,7 @@ export class Server {
     this.server = server;
     const app = new Koa();
 
+    app.use(crossOriginIsolation());
     app.use(bodyParser());
     app.use(mount('/submitResults', this.submitResults.bind(this)));
     app.use(this.instrumentRequests.bind(this));

src/test/server_test.ts

@@ -135,4 +135,14 @@ suite('server', () => {
     session = server.endSession();
     assert.equal(session.bytesSent, 0);
   });
+
+  test('enables cross-origin isolation', async () => {
+    const res = await fetch(`${server.url}/import-bare-module.html`);
+
+    assert.equal(res.headers.get('Cross-Origin-Opener-Policy'), 'same-origin');
+    assert.equal(
+      res.headers.get('Cross-Origin-Embedder-Policy'),
+      'require-corp'
+    );
+  });
 });