Cross-Origin Opener Policy


What is COOP?

The Spectre attack changed our understanding of what site operators need to do in order to keep their data safe as any of your data that is loaded in the same Browsing Context Group as another origin is potentially readable. The COOP header allows you to break out of the Browsing Context Group for your page and ensure you do not share one with a potentially hostile origin. There are configurable levels of co-existence within COOP but by ensuring isolation in a new process between your page and a potentially hostile page, an attacker cannot have access to memory that's of interest to them.

Getting Started

It is highly recommended that sites test COOP in Report Only mode before considering an enforced policy. This can be done by sending the appropriate HTTP response header:

Cross-Origin-Opener-Policy-Report-Only: (same-origin|same-origin-allow-popups|unsafe-none); report-to="default"

As you can see, COOP uses the Reporting API to send reports, so you will need to ensure that you have it enabled:

Report-To: {"group":"default","max_age":31536000,"endpoints":[{"url":"{URL}"}],"include_subdomains":true}

You can read our documentation on Getting Started with the Reporting API for more information.


COOP is a relatively new browser technology but there is already plenty of information on how it works and how to configure it for your site:

https://scotthelme.co.uk/coop-and-coep/

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy

https://web.dev/why-coop-coep/

https://web.dev/coop-coep/