Skip to main content

Security Headers

Cross-Origin-Opener-Policy (COOP): Isolating Your Browsing Context

Cut the link between your pages and windows they open.

Quick answer

Cross-Origin-Opener-Policy (COOP) is an HTTP response header that controls whether a page shares its browsing context with windows it opens or that open it. Setting COOP to same-origin isolates your page, defending against cross-window attacks like tab-nabbing and helping enable cross-origin isolation.

COOP lets a page sever the JavaScript reference between itself and other windows unless they share the same origin. This isolation blocks a class of cross-window attacks and is one half (with COEP) of enabling powerful, cross-origin-isolated features.

Check your website

See how your site handles cross-origin-opener-policy (coop): isolating your browsing context — free, no account needed.

For business owners

COOP is advanced hardening that protects users from subtle cross-window attacks and unlocks high-precision browser features some apps need. For most sites it is a low-risk security upgrade; for apps using advanced APIs it is a requirement. Either way it signals a carefully secured site.

How it works (technical)

Set the header on your document responses:

Cross-Origin-Opener-Policy: same-origin

Values: unsafe-none (default, no isolation), same-origin-allow-popups (keeps references to popups you open), and same-origin (full isolation). With same-origin, cross-origin windows lose their window.opener reference, preventing them from manipulating your page. COOP combined with COEP produces cross-origin isolation, which re-enables powerful features like SharedArrayBuffer and high-resolution timers. Test carefully if you rely on cross-origin popups or OAuth window messaging.

Real-world example

A web app used SharedArrayBuffer for in-browser processing, which browsers gate behind cross-origin isolation. Adding COOP: same-origin alongside COEP enabled the isolated context so the feature worked, while also hardening the app against cross-window interference.

Why it matters

COOP mitigates cross-window attacks and is a prerequisite for cross-origin isolation. Advanced security scans note its presence as a hardening signal.

How to fix it

  1. Add Cross-Origin-Opener-Policy: same-origin to document responses.

  2. Use same-origin-allow-popups if you legitimately open and message popups (e.g. OAuth).

  3. Pair with COEP if you need cross-origin isolation for advanced APIs.

  4. Test OAuth flows, payment popups and window messaging after enabling.

  5. Roll out on a staging environment before production.

Best practices

  • Default to same-origin unless a popup workflow requires otherwise.

  • Combine COOP and COEP deliberately when you need isolation, not by accident.

  • Verify third-party popup integrations still work after enabling.

Common mistakes

  • Enabling strict COOP and breaking OAuth or payment popup messaging.

  • Expecting COOP alone to enable isolation (COEP is also required).

  • Deploying to production without testing window-dependent flows.

Frequently asked questions

What does COOP protect against?

Cross-window attacks such as tab-nabbing and unwanted manipulation via window.opener, by isolating your browsing context from cross-origin windows.

Does COOP break popups?

Strict same-origin can sever references to popups. Use same-origin-allow-popups if you need to open and communicate with popups you control.

Is COOP enough for cross-origin isolation?

No. You need both COOP (same-origin) and COEP (require-corp) for a fully cross-origin-isolated context.

Which features need cross-origin isolation?

Powerful APIs like SharedArrayBuffer and high-resolution timers are gated behind cross-origin isolation for security reasons.

Will COOP affect my analytics?

Generally no, unless analytics rely on cross-window references. Test if you use popup-based integrations.

What is the default COOP value?

unsafe-none, meaning no isolation. You must explicitly set same-origin (or the allow-popups variant) to gain protection.

Is COOP widely supported?

Yes, it is supported in modern browsers. Older browsers simply ignore it, so it degrades safely.

Where do I set COOP?

As an HTTP response header on your HTML documents, configured in your server, framework or CDN.

Put this into practice

See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.

Scan your website free

See Pro plans · Create account