Security

Cross-Origin-Opener-Policy

Isolates the browsing context to prevent cross-origin attacks like Spectre from accessing sensitive data.

Syntax

Cross-Origin-Opener-Policy: unsafe-none | same-origin-allow-popups | same-origin

Example

Cross-Origin-Opener-Policy: same-origin

Description

Cross-Origin-Opener-Policy (COOP) controls whether a top-level document shares a browsing context with cross-origin documents. Defense against Spectre-type side-channel attacks.

Values: unsafe-none (default), same-origin-allow-popups, same-origin (full isolation).

Often used with Cross-Origin-Embedder-Policy (COEP) to achieve cross-origin isolation, enabling SharedArrayBuffer and high-resolution timers.

Check if your website sends this header correctly

Check your headers →

Cross-Origin-Opener-Policy

Syntax

Example

Description

Related Articles

Related Headers

Start monitoring for free