Cross-Origin-Opener-Policy
Response header Security

Overview

Cross-Origin-Opener-Policy (COOP) is a security header controlling whether this document shares a 'browsing context group' with other contexts it is linked to (popups, its opener) via window.open() or links. Setting same-origin severs the window.opener reference to cross-origin documents, achieving process-level isolation.

Details

By default, a page A and a popup B it opened can interact through window.opener and window references, which becomes an attack surface for tabnabbing and XS-Leaks (cross-site information leaks). COOP: same-origin places cross-origin documents in a separate browsing context group, nulling such references and letting the browser put them in different OS processes, which also reduces Spectre-class side-channel risk.

COOP's most important practical purpose is pairing with Cross-Origin-Embedder-Policy (COEP) to make a page crossOriginIsolated. When COOP: same-origin and COEP: require-corp (or credentialless) both apply, self.crossOriginIsolated becomes true, and only then do powerful features like SharedArrayBuffer, high-resolution performance.now() timers, and cross-thread shared memory become available.

same-origin-allow-popups is a relaxed value that isolates the document yet keeps communication with popups it opens. Use it to avoid breaking flows such as OAuth or payment popups that rely on postMessage with the opener. The report-to parameter reports violations/mitigations to the Reporting API so you can validate a gradual rollout.

Syntax

Cross-Origin-Opener-Policy: <unsafe-none | same-origin | same-origin-allow-popups>[; report-to="<group>"]

e.g. Cross-Origin-Opener-Policy: same-origin

Directives / values

unsafe-noneDefault. Shares a browsing context group with other documents and keeps the window.opener relationship.
same-originShares a context group only with same-origin documents, severing cross-origin opener/popup references for isolation (one condition for crossOriginIsolated).
same-origin-allow-popupsIsolates the document but keeps references to popups it opens; a relaxed value for compatibility (e.g. OAuth popups).
report-to="<group>"Name of the Reporting-Endpoints group to which COOP violations/mitigations are reported.

Notes

Related headers

Related status codes

Specification