Cross-Origin-Opener-Policy-Report-Only

The HTTP Cross-Origin-Opener-Policy-Report-Only response header tests a Cross-Origin-Opener-Policy without enforcing the policy, sending violation reports to a designated endpoint instead of breaking cross-origin window references.

Table of Contents

Usage
Directives
Example
Takeaway
See also

Usage

Deploying a strict Cross-Origin-Opener-Policy (COOP) changes how a page interacts with cross-origin popups and opener windows. Setting same-origin on the enforcing header severs the window.opener reference for any cross-origin window, which breaks legitimate workflows like OAuth popups and payment redirects.

The Cross-Origin-Opener-Policy-Report-Only header applies the same policy logic in observation mode. The browser evaluates every cross-origin window interaction against the declared policy and generates a report for each violation, but keeps the window references intact. Reports are sent to the endpoint named in the report-to directive, which maps to a URL declared in the Reporting-Endpoints or Report-To header.

This report-only approach allows operators to measure the impact of a COOP policy before committing to enforcement. Once the violation reports confirm there are no unexpected breakages, the policy moves to the enforcing Cross-Origin-Opener-Policy header.

Directives

unsafe-none

The unsafe-none directive is the default behavior. No cross-origin opener restrictions are applied, and no violation reports are generated. This is the baseline before any COOP policy is introduced.

same-origin-allow-popups

The same-origin-allow-popups directive reports violations when a cross-origin document opens the page, but allows the page itself to open cross-origin popups and retain a reference to them. This is the common first step for sites relying on OAuth or payment popups.

same-origin

The same-origin directive reports violations for any cross-origin window relationship. Both popups opened by the page and windows opening the page generate violation reports when their origins differ.

restrict-properties

The restrict-properties directive enables cross-origin isolation while still permitting popup interaction. Unlike same-origin, this directive does not fully sever the opener relationship with cross-origin popups. Instead, the directive restricts which properties are accessible on the cross-origin window. Pages depending on popups still gain crossOriginIsolated status for access to high-resolution timers and SharedArrayBuffer.

When a page has both COOP: same-origin and a compatible Cross-Origin-Embedder-Policy enforced, the HTML spec internally tracks this combined state as same-origin-plus-COEP. This term is an internal computed value in the specification and is not a directly settable header value. The actual directive to set is restrict-properties.

report-to

The report-to directive specifies the name of the reporting endpoint group receiving COOP violation reports. The name maps to an endpoint declared in the Reporting-Endpoints or Report-To response header. Without this directive, violations are observed but no reports are sent.

Example

A same-origin policy in report-only mode sends violation reports to an endpoint named coop-endpoint. The browser evaluates all cross-origin window interactions against the same-origin policy and reports violations to the URL mapped to coop-endpoint in the Reporting-Endpoints header, without severing any window references.

Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop-endpoint"
Reporting-Endpoints: coop-endpoint="https://reports.example.re/coop"

A same-origin-allow-popups policy in report-only mode catches cases where a cross-origin document opens the page, while still allowing the page to open popups freely. Reports go to the wsp_coop endpoint.

Cross-Origin-Opener-Policy-Report-Only: same-origin-allow-popups; report-to="wsp_coop"
Reporting-Endpoints: wsp_coop="https://reports.example.re/wsp-coop"

An unsafe-none report-only value paired with a report-to directive monitors the current state before tightening the policy. The browser reports nothing in this configuration because unsafe-none matches the default behavior. Sites use this as a canary to verify the reporting pipeline works before switching to a stricter policy value.

Cross-Origin-Opener-Policy-Report-Only: unsafe-none; report-to="default"
Reporting-Endpoints: default="https://reports.example.re/default"

Takeaway

The Cross-Origin-Opener-Policy-Report-Only header tests a cross-origin opener policy in observation mode, generating violation reports without enforcing window isolation. This enables safe rollout of strict COOP policies.