Home/ Glossary/ Cross-Origin Opener Policy

Cross-Origin Opener Policy (COOP)

Security Glossary - Security Headers

Definition: Cross-Origin Opener Policy (COOP) controls how your page interacts with windows opened from it (popups) and windows that opened it. Setting COOP to same-origin isolates your page's browsing context, preventing cross-origin pages from accessing your window object through references like window.opener.

Why COOP Is Important

Without COOP, a page opened via window.open() can access properties of the opener window if they share an origin, or can navigate the opener to a different URL even cross-origin. This creates opportunities for tabnabbing attacks where a link opens a new tab, and that tab's JavaScript navigates the original tab to a phishing page.

COOP: same-origin isolates your browsing context, preventing any cross-origin window from interacting with it. This is one of the requirements (along with COEP) for enabling powerful browser APIs like SharedArrayBuffer and high-resolution timers, which were restricted after the Spectre CPU vulnerability was discovered.

For most websites, setting COOP: same-origin is beneficial and has minimal impact on functionality. The main compatibility concern is if your site relies on cross-origin window references, such as OAuth login popups that communicate back to the opener. In those cases, COOP: same-origin-allow-popups is a less restrictive option.

How to Test for COOP

A security audit checks for the Cross-Origin-Opener-Policy header. For sites that do not use cross-origin window communication, same-origin is recommended. If you use OAuth popups, test same-origin-allow-popups to confirm compatibility.

See how your site handles COOP

Run a Security Audit

Common Questions About COOP

Do I need COOP if I already have CSP?
Yes. CSP and COOP address different threats. CSP controls which resources can be loaded. COOP controls cross-origin window interactions. Both are valuable, and COOP is required (along with COEP) to enable certain browser security features.
Will COOP break OAuth login popups?
COOP: same-origin may break OAuth flows that rely on window.opener communication. Use same-origin-allow-popups if your site uses popups for authentication. Test thoroughly before deploying in production.

See Also

Cross-Origin Embedder Policy Cross-Origin Resource Policy Security Headers Overview Content Security Policy Cross-Origin Resource Sharing
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.