The Cache Isolation Problem

Modern browsers isolate caches by origin to prevent security risks like timing attacks. This means that if a user visits two different websites that both use the same large AI model (e.g., Xenova/whisper-tiny.en) or shared runtime files (e.g., ONNX Runtime Wasm), the browser treats them as distinct resources. Consequently, the user must download and store the same multi-megabyte files multiple times, leading to significant bandwidth waste and storage bloat.

The Cross-Origin Storage (COS) Solution

The proposed Cross-Origin Storage (COS) API addresses this by allowing developers to store and retrieve files identified by a cryptographic hash (SHA-256) rather than a URL. Because the hash is unique to the file's content, the browser can recognize that a resource is identical regardless of which origin requested it.

Key Mechanisms:

  • Hash-based Identification: Files are stored and retrieved via navigator.crossOriginStorage.requestFileHandle(hash). If the hash exists in the browser's shared storage, the file is served instantly.
  • Visibility Control: Developers can define access levels using the origins parameter. Setting origins: '*' makes a file globally available, which is ideal for public AI models. Restricted lists or same-site defaults provide privacy for proprietary assets.
  • Integrity Verification: The browser automatically verifies the file's hash upon writing. If the data does not match the hash, the write fails, providing built-in integrity checking that is currently missing in standard CDN-based downloads.
  • Privacy Protections: To prevent the API from being used as a cross-site tracking vector, browsers may implement "availability gating," where they suppress confirmation of a file's existence if it is not sufficiently common across the web.

Implementation in Transformers.js

Transformers.js is currently piloting this API. Developers can opt-in by setting env.experimental_useCrossOriginStorage = true before initializing a pipeline. The library automatically resolves the SHA-256 hash for model weights and uses it as the COS key. If the model is already present in the user's COS cache from another site, the app skips the network request entirely. This approach is currently compatible with a polyfill provided by a Chrome extension, allowing developers to test the performance benefits today while the API undergoes standardization.