The HTTP Cross-Origin-Opener-Policy response header directs top-level documents not to share a browsing context group with cross-origin documents.
The Cross-Origin-Opener-Policy response header is used to process-isolate a specific document, preventing others from accessing it in a situation where it is opening in a popup window. By isolating the relevant process, it prevents certain types of cross-origin attacks from compromising network security and information privacy.
There are three directives including
unsafe-none directive is the default setting and it grants the document permission to be added to the client’s browsing context group. This is unless the client has a HTTP Cross-Origin-Opener-Policy header of
same-origin-allow-popups directive will signal the client to retain references to newly opened windows, provided that they don’t set HTTP Cross-Origin-Opener-Policy header or reject process isolation by setting the
same-origin directive isolates the browsing context such that it is available only to documents of the same origin. No cross-origin document will be accessed within the same browsing context.
In this example, the
require-corp directive of the Cross-Origin-Embedder-Policy gives the client access to certain features such as a SharedArrayBuffer. The Cross-Origin-Opener-Policy header is required for this to work correctly.
Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin
The Cross-Origin-Opener-Policy response header is used to instruct the client that a top-level document cannot share a browsing context group with cross-origin documents.