Why are cross-origin isolation and CORB/CORP both needed? [closed]


I asked the same question on Stack Overflow, but I got no answers and I was suggested to ask it here.

Abbreviations used:

  • CORP: Cross Origin Resource Policy
  • CORS: Cross Origin Resource Sharing
  • CORB: Cross Origin Read Blocking
  • SSCAs: speculative side-channel attacks, like Spectre

I’ve read this article, but I still don’t understand why are cross-origin isolation and CORB/CORP both needed. Specifically:

  • If webpages can perform SSCAs without using cross-origin isolated features (like SharedArrayBuffer), which I think is what Chromium assumes, then why is it necessary to be cross-origin isolated to have access to those features?
  • Otherwise, if webpages can’t perform SSCAs without using cross-origin isolated features, then why are CORB and CORP needed?

Also, since webpages can perform SSCAs using cross-origin isolated features, what is the difference between using Cross-Origin-Resource-Policy: cross-origin and Access-Control-Allow-Origin: *, since SSCAs can be used to read data just by embedding a resource and Access-Control-Allow-Origin: * isn’t needed for it?