Cross-Origin-Opener-Policy (COOP) Header Explained
Cross-Origin-Opener-Policy (COOP) is an HTTP response header that isolates your page from cross-origin windows. Setting it to same-origin prevents other websites from gaining a reference to your window object via window.open(), blocking Spectre-type side-channel attacks and cross-origin information leaks.
Recommended Value
Cross-Origin-Opener-Policy: same-originWhat Each Directive Does
| Directive | Purpose |
|---|---|
same-origin | Fully isolates the page — cross-origin openers lose their reference |
same-origin-allow-popups | Isolates the page but allows popups it opens to retain a reference back |
unsafe-none | Default — no isolation, other origins can reference your window |
What Happens Without This Header
Without COOP, a malicious page that opens yours via window.open() retains a reference to your window object. Combined with Spectre-type attacks, this can leak sensitive data from your page's memory, including authentication tokens and user data.
How to Implement
# Nginx
add_header Cross-Origin-Opener-Policy "same-origin" always;
# Apache
Header always set Cross-Origin-Opener-Policy "same-origin"
# Express.js
app.use((req, res, next) => {
res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
next();
});Testing and Report-Only
Use Cross-Origin-Opener-Policy-Report-Only to test COOP before enforcing. Violations are reported to the endpoint specified in the Reporting-Endpoints header.
Related Questions
Scan your system prompt with LochBot — free, client-side, no data sent anywhere.