Web Performance

Chrome Experiments with Cross-Origin Storage API to Eliminate Duplicate AI Model Downloads

The proposed Cross-Origin Storage API aims to eliminate redundant downloads of AI models and Wasm runtimes in the browser. By identifying resources via SHA-256 hash rather than URL, COS enables cross-origin caching while preserving privacy and integrity. Transformers.js, WebLLM, and wllama are already experimenting with the API.

Emmanuel Fabrice Omgbwa Yasse

2026-07-09 · 3 min read

Chrome Experiments with Cross-Origin Storage API to Eliminate Duplicate AI Model Downloads

Here’s the problem: you build an AI-powered web app with Transformers.js. On first visit, the browser downloads model weights and WebAssembly runtime files, caching them locally. Then you load a second app on a different origin that uses the exact same model, say, the popular Whisper speech-recognition model. The browser downloads and caches those same megabytes all over again. For large models, that duplication can waste hundreds of megabytes of bandwidth and disk space per user. It’s more than an annoyance; it’s a real drain.

Google’s Chrome team is working on a fix. The proposed Cross-Origin Storage (COS) API is an early-stage specification that introduces a dedicated navigator.crossOriginStorage interface. Instead of keying cached resources by URL and origin, the current model, which partitions caches for security reasons, COS identifies files by their SHA-256 cryptographic hash. That means whether a resource was first fetched by https://site-a.com or https://site-b.com, if the bytes are identical, the browser can serve them from a single shared store.

How COS Works

The API is deliberately modeled on the Origin Private File System (OPFS), already familiar to web developers. To retrieve a file, an app calls navigator.crossOriginStorage.requestFileHandle(hash), where hash is an object containing the algorithm (currently SHA-256) and the hex value. If the file is already stored, the method returns a FileSystemFileHandle for reading. If not, the app can fall back to a network fetch and then store the result with { create: true, origins: '*' } to make it globally available.

Control over visibility is granular: developers can set origins to '*' for public resources, an explicit list of permitted origins for proprietary assets, or omit it entirely for same-site-only sharing. A deliberate design decision prevents downgrading visibility, once a file is stored globally, a later attempt to restrict its origins is silently ignored, thwarting potential abuse.

Integrity by Default

Every write to COS is automatically verified against the declared hash. If the bytes don’t match, the write fails. This gives consumers an implicit integrity guarantee that today’s HTTP-based downloads do not routinely provide. For AI models downloaded from content delivery networks, that means developers and users can trust they are getting exactly the weights intended.

Privacy Protections

Cross-origin storage inevitably raises the specter of cross-site tracking. COS addresses this with two mechanisms. First, the explicit origins field encourages developers to limit visibility to only those origins that need access. Second, even for globally declared files, the browser may suppress confirmation of a file’s presence if it has been encountered on too few distinct origins, returning a miss rather than confirming the file exists. Chrome team members note this mitigation is still being refined. Developers are advised always to handle a miss by falling back to the network.

Transformers.js Pilots COS

The Transformers.js library, which lets web developers run transformer models directly in the browser via ONNX Runtime, has already introduced experimental COS support. A single line of code opts in:

import { env } from "https://cdn.jsdelivr.net/npm/@huggingface/transformers@4.2.0";
env.experimental_useCrossOriginStorage = true;

When enabled, the library resolves the SHA-256 hash for each Xet-tracked model file and checks COS before downloading. In tests, this eliminates duplicate downloads of models like Xenova/whisper-tiny.en and the shared Wasm runtime, saving over 177 MB in the case of the Whisper ASR model alone. The same improvements apply to WebLLM and wllama, which have also integrated COS support.

Try it Today

No browser implements the COS API natively yet, but developers can install the Cross-Origin Storage extension for Chrome, which injects a navigator.crossOriginStorage polyfill. With the extension active, visiting two different demo apps using the same model shows the second app loading instantly from COS rather than re-downloading the weights.

The Chrome team is actively soliciting feedback on the proposal via the Cross-Origin Storage repository. Implementation in the browser itself would bring these performance and storage savings to all web users without the need for an extension.