The HTTP Cross-Origin-Opener-Policy response header directs top-level documents not to share a browsing context group with cross-origin documents.


The Cross-Origin-Opener-Policy response header is used to process-isolate a specific document, preventing others from accessing it in a situation where it is opening in a popup window. By isolating the relevant process, it prevents certain types of cross-origin attacks from compromising network security and information privacy.

There are three directives including unsafe-none, same-origin-allow-popups, and same-origin.


The unsafe-none directive is the default setting and it grants the document permission to be added to the client’s browsing context group. This is unless the client has a HTTP Cross-Origin-Opener-Policy header of same-origin or same-origin-allow-popups.


Setting the same-origin-allow-popups directive will signal the client to retain references to newly opened windows, provided that they don’t set HTTP Cross-Origin-Opener-Policy header or reject process isolation by setting the unsafe-none directive.


Using the same-origin directive isolates the browsing context such that it is available only to documents of the same origin. No cross-origin document will be accessed within the same browsing context.


In this example, the require-corp directive of the Cross-Origin-Embedder-Policy gives the client access to certain features such as a SharedArrayBuffer. The Cross-Origin-Opener-Policy header is required for this to work correctly.

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin


The Cross-Origin-Opener-Policy response header is used to instruct the client that a top-level document cannot share a browsing context group with cross-origin documents.

See also

Last updated: June 29, 2022