Cross-Origin-Opener-Policy
The HTTP Cross-Origin-Opener-Policy (COOP) response
header controls how a document shares its browsing context
group with cross-origin documents opened through popups
or window.open().
Usage
The Cross-Origin-Opener-Policy header isolates a
top-level document from cross-origin windows. By default,
documents opened through popups or window.open() share
a browsing context group, giving each window scripting
access to the other through window.opener and the
return value of window.open(). COOP restricts or severs
these cross-origin references, preventing cross-site leak
attacks and Spectre-class side-channel exploits.
Setting COOP to same-origin paired with
Cross-Origin-Embedder-Policy
(COEP) achieves cross-origin isolation. This combination
grants access to SharedArrayBuffer,
performance.measureUserAgentSpecificMemory(), and
high-resolution timers. The window.crossOriginIsolated
property returns true when both headers are correctly
configured.
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
if (window.crossOriginIsolated) {
const buffer = new SharedArrayBuffer(1024);
}
The same-origin directive is the strictest mode but
severs all cross-origin window references. This breaks
OAuth popups and payment flows where the popup needs to
communicate back to the opener through window.opener
or postMessage. The same-origin-allow-popups directive
addresses this by preserving window references for popups
the page opens, at the cost of not enabling cross-origin
isolation.
The noopener-allow-popups directive provides same-origin
process isolation without affecting popups opened by the
page. The restrict-properties directive is an
experimental alternative enabling cross-origin isolation
while preserving limited popup communication through
postMessage() and window.closed.
The report-to parameter on any directive names a
reporting endpoint for COOP violation reports. The
endpoint maps to a URL declared in the
Reporting-Endpoints header. The
companion
Cross-Origin-Opener-Policy-Report-Only
header evaluates the policy in observation mode,
generating violation reports without enforcing window
isolation.
Note
The same-origin and same-origin-allow-popups
directives are supported by all major browsers. The
noopener-allow-popups directive is supported by
Chromium-based browsers and Safari. The
restrict-properties directive is experimental and
under development in Chromium-based browsers.
Directives
unsafe-none
The default value. The document shares its browsing context group with cross-origin documents without restrictions. Cross-origin popups and openers retain full scripting access. No cross-origin isolation is established.
same-origin-allow-popups
The document isolates from cross-origin openers but
retains references to popups opened by the page. A popup
opened through window.open() remains in the same
browsing context group when the popup does not set COOP
or sets unsafe-none. Cross-origin documents opening the
page through window.open() are placed in a separate
browsing context group.
This is the common choice for sites using OAuth or payment popups where the popup communicates the result back to the opener. Cross-origin isolation is not established with this directive.
same-origin
The document shares its browsing context group only with
same-origin documents setting the same COOP value. All
cross-origin window references are severed. The
window.opener property returns null for cross-origin
popups, and the return value of window.open() behaves
as a closed window.
Paired with
Cross-Origin-Embedder-Policy
set to require-corp or credentialless, this directive
establishes cross-origin isolation and enables
SharedArrayBuffer, high-resolution timers, and
performance.measureUserAgentSpecificMemory().
noopener-allow-popups
The document forces every navigation into a new browsing
context group, regardless of the other document's origin
or COOP value, with one exception: popups navigated to
from a same-origin document also using
noopener-allow-popups remain in the same browsing
context group. Popups opened by pages with unsafe-none
COOP open in the same browsing context group. The
window.opener property on the opened page returns a
closed window object.
This directive targets same-origin process isolation. A
sensitive page at example.re/admin isolates from a less
trusted page at example.re/forum, even though both
share the same origin. Same-origin requests,
cookies, localStorage, and service workers remain
accessible across both pages.
Note
The noopener-allow-popups directive is supported
by Chromium-based browsers and Safari. Firefox does
not support this directive.
restrict-properties
The restrict-properties directive limits cross-origin
window access to postMessage() and window.closed
instead of severing the relationship entirely. All other
window properties are blocked. This prevents
frame-counting attacks and cross-site leak vectors while
preserving the minimal communication channel needed for
OAuth and payment popup flows.
Paired with
Cross-Origin-Embedder-Policy,
this directive establishes cross-origin isolation like
same-origin, enabling SharedArrayBuffer and
high-resolution timers without breaking popup
communication.
Note
The restrict-properties directive is experimental
and under development in Chromium-based browsers.
report-to
The report-to parameter specifies the name of the
reporting endpoint group receiving COOP violation reports.
The name maps to a URL declared in the
Reporting-Endpoints response
header.
Cross-Origin-Opener-Policy: same-origin; report-to="coop"
Reporting-Endpoints: coop="https://reports.example.re/coop"
Example
Cross-origin isolation using same-origin COOP paired
with COEP. This enables SharedArrayBuffer and other
isolated APIs. All cross-origin subresources need
Cross-Origin-Resource-Policy
headers or CORS.
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
A site using OAuth popups sets same-origin-allow-popups
to preserve the popup communication channel. The OAuth
provider's authorization page opens in a popup and
communicates the result back through window.opener.
Cross-Origin-Opener-Policy: same-origin-allow-popups
Cross-origin isolation with credentialless COEP for
easier deployment. No-CORS cross-origin requests are sent
without credentials, removing the need for third-party
CORP headers.
Cross-Origin-Embedder-Policy: credentialless
Cross-Origin-Opener-Policy: same-origin
A COOP policy with violation reporting. The report-to
parameter names the endpoint group receiving reports. The
Reporting-Endpoints header maps
the group name to the reporting URL.
Cross-Origin-Opener-Policy: same-origin; report-to="coop"
Reporting-Endpoints: coop="https://reports.example.re/coop"
Takeaway
The Cross-Origin-Opener-Policy header controls
browsing context group sharing between cross-origin
windows. The same-origin directive paired with
Cross-Origin-Embedder-Policy
establishes cross-origin isolation, enabling
SharedArrayBuffer and high-resolution timers. The
same-origin-allow-popups directive preserves popup
communication for OAuth and payment flows.
See also
- HTML Standard: Cross-Origin Opener Policies (WHATWG)
- Making your website cross-origin isolated (web.dev)
- COOP: restrict-properties (Chrome Developers)
- Cross-Origin-Opener-Policy-Report-Only
- Cross-Origin-Embedder-Policy
- Cross-Origin-Resource-Policy
- Reporting-Endpoints
- Cors
- HTTP headers