Experimenting with the proposed Cross-Origin Storage API in Transformers.js

16d ago · Global · primary source: huggingface.co

A new browser API proposal aims to eliminate redundant downloads of identical large files, such as AI model weights and WebAssembly runtimes, that are currently duplicated across different website origins due to cache partitioning. The Cross-Origin Storage (COS) API, detailed in a recent proposal, introduces a navigator.crossOriginStorage interface that allows web applications to store and retrieve files based on their cryptographic hash rather than their URL or origin [1]. This approach directly addresses the limitations of modern browser caching, where resources are isolated by origin to prevent timing attacks, as outlined in the article "Gaining security and privacy by partitioning the cache" [1]. The practical impact is significant for libraries like Transformers.js, which uses the ONNX Runtime. A single WebAssembly runtime file, ort-wasm-simd-threaded.asyncify.wasm, is 4,733 kB [1]. Even if two different applications on separate origins use entirely different AI models, they both require this identical runtime file, leading to duplicate downloads and storage consumption [1]. For a popular model like Xenova/whisper-tiny.en, the total duplicate download and storage can reach 177 MB per origin [1]. "Unfortunately, this is not how caching works in browsers for a long time," the proposal notes, explaining that in Chrome, cached resources are keyed using a Network Isolation Key composed of the top-level site and the current-frame site, preventing a cache hit even for identical resource URLs from different origins [1]. The COS API bypasses this by identifying files by hash, allowing the same runtime downloaded on one site to be recognized and reused by another [1]. This proposal emerges within a broader context of evolving web privacy standards. Google previously led the Privacy Sandbox initiative, announced in 2019, which aimed to create web standards for accessing user information without third-party cookies [2]. That initiative, which included technologies like Shared Storage and CHIPS, was officially discontinued in April 2025 due to low adoption and regulatory pressure [2]. The COS API represents a different approach, focusing on storage efficiency while incorporating privacy controls. The API provides developers with granular control over file visibility. A file can be stored with global access (origins: '*'), restricted to a specific list of origins, or limited to same-site origins by default [1]. A key integrity feature is that the browser verifies a file's hash upon writing, causing the operation to fail if the data does not match, which provides automatic integrity checking for resources like AI model weights fetched from a CDN [1]. The proposal also includes rules to prevent a malicious actor from downgrading a public resource's visibility, though visibility can be upgraded by any site that provides the full, hash-matching file [1]. Google Chrome, which held a 75.23% worldwide browser market share on personal computers as of March 2026, is built on the open-source Chromium project, a codebase also used by Microsoft Edge, Opera, and Brave [3][4]. The COS API is an early-stage proposal and is not yet natively implemented in any browser, but a polyfill extension is available for experimentation [1].

tool-releaseresearch-paper

Background sources we checked (7)
  • en.wikipedia.org ↗ The Privacy Sandbox was an initiative led by Google which aimed to create web standards for websites to access user information without compromising privacy. Announced in 2019, the core purpose of the project was to facilitate online advertising by sharing a subset of user privat…
  • en.wikipedia.org ↗ Chromium is a free and open-source web browser project, primarily developed and maintained by Google. It is a widely used codebase, providing the vast majority of code for Google Chrome and many other browsers, including Microsoft Edge, Opera, Vivaldi, Brave, Samsung Browser and …
  • en.wikipedia.org ↗ Google Chrome is a cross-platform web browser developed by Google. It was launched in September 2008 for Microsoft Windows and was built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, iPadOS, and Android, w…
  • en.wikipedia.org ↗ Google LLC ( , GOO-gəl) is an American multinational technology corporation focused on information technology, online advertising, search engine technology, email, cloud computing, software, quantum computing, e-commerce, consumer electronics, and artificial intelligence (AI). It…
  • en.wikipedia.org ↗ Google AI Studio is a web-based integrated development environment developed by Google for prototyping applications using generative AI models. Released in December 2023 alongside the Gemini API, the platform provides access to Google's Gemini family of models and related tools f…
  • en.wikipedia.org ↗ Gemma is a series of source-available large language models developed by Google DeepMind. It is based on similar technologies as Gemini. The first version was released in February 2024, followed by Gemma 2 in June 2024, Gemma 3 in March 2025, and the free and open-source Gemma 4 …
  • en.wikipedia.org ↗ Gemini (also known as Google Gemini and formerly known as Bard) is a generative artificial intelligence chatbot and virtual assistant developed by Google. It is powered by the family of large language models (LLMs) of the same name, after previously being based on LaMDA and PaLM …

Sources

Spot something wrong? Report an issue