Cross-Origin-Opener-Policy (COOP) is an HTTP response header that controls whether a page shares its browsing context with windows it opens or that open it. Setting COOP to same-origin isolates your page, defending against cross-window attacks like tab-nabbing and helping enable cross-origin isolation.
COOP lets a page sever the JavaScript reference between itself and other windows unless they share the same origin. This isolation blocks a class of cross-window attacks and is one half (with COEP) of enabling powerful, cross-origin-isolated features.
Check your website
See how your site handles cross-origin-opener-policy (coop): isolating your browsing context — free, no account needed.
For business owners
COOP is advanced hardening that protects users from subtle cross-window attacks and unlocks high-precision browser features some apps need. For most sites it is a low-risk security upgrade; for apps using advanced APIs it is a requirement. Either way it signals a carefully secured site.
How it works (technical)
Set the header on your document responses:
Cross-Origin-Opener-Policy: same-origin
Values: unsafe-none (default, no isolation), same-origin-allow-popups (keeps references to popups you open), and same-origin (full isolation). With same-origin, cross-origin windows lose their window.opener reference, preventing them from manipulating your page. COOP combined with COEP produces cross-origin isolation, which re-enables powerful features like SharedArrayBuffer and high-resolution timers. Test carefully if you rely on cross-origin popups or OAuth window messaging.
Real-world example
A web app used SharedArrayBuffer for in-browser processing, which browsers gate behind cross-origin isolation. Adding COOP: same-origin alongside COEP enabled the isolated context so the feature worked, while also hardening the app against cross-window interference.
Why it matters
COOP mitigates cross-window attacks and is a prerequisite for cross-origin isolation. Advanced security scans note its presence as a hardening signal.
How to fix it
Add
Cross-Origin-Opener-Policy: same-originto document responses.Use
same-origin-allow-popupsif you legitimately open and message popups (e.g. OAuth).Pair with COEP if you need cross-origin isolation for advanced APIs.
Test OAuth flows, payment popups and window messaging after enabling.
Roll out on a staging environment before production.
Best practices
Default to
same-originunless a popup workflow requires otherwise.Combine COOP and COEP deliberately when you need isolation, not by accident.
Verify third-party popup integrations still work after enabling.
Common mistakes
Enabling strict COOP and breaking OAuth or payment popup messaging.
Expecting COOP alone to enable isolation (COEP is also required).
Deploying to production without testing window-dependent flows.
Frequently asked questions
What does COOP protect against?
Cross-window attacks such as tab-nabbing and unwanted manipulation via window.opener, by isolating your browsing context from cross-origin windows.
Does COOP break popups?
Strict same-origin can sever references to popups. Use same-origin-allow-popups if you need to open and communicate with popups you control.
Is COOP enough for cross-origin isolation?
No. You need both COOP (same-origin) and COEP (require-corp) for a fully cross-origin-isolated context.
Which features need cross-origin isolation?
Powerful APIs like SharedArrayBuffer and high-resolution timers are gated behind cross-origin isolation for security reasons.
Will COOP affect my analytics?
Generally no, unless analytics rely on cross-window references. Test if you use popup-based integrations.
What is the default COOP value?
unsafe-none, meaning no isolation. You must explicitly set same-origin (or the allow-popups variant) to gain protection.
Is COOP widely supported?
Yes, it is supported in modern browsers. Older browsers simply ignore it, so it degrades safely.
Where do I set COOP?
As an HTTP response header on your HTML documents, configured in your server, framework or CDN.
Put this into practice
See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.
Scan your website free