High Security Header

Cross-Origin-Opener-Policy

Learn how COOP prevents cross-origin window manipulation and popup attacks.

SiteSecurityScore Team·9 min read·Updated Feb 20, 2026

Cross-Origin-Opener-Policy (COOP) is a security header that controls how your website can be opened in new windows or tabs. This policy helps prevent cross-origin window manipulation attacks and enhances browser security isolation.

What is Cross-Origin-Opener-Policy?#

Cross-Origin-Opener-Policy (COOP) controls the relationship between your page and other browsing contexts (windows or tabs) that may reference it. Two pages are 'cross-origin' when they differ in protocol, domain, or port (for example, your-site.com and another-site.com). When a page opens a popup or is opened by another page, the two windows can normally communicate via the window.opener reference. COOP allows you to sever this connection, preventing cross-origin windows from accessing your page's window object.

  • Controls whether other windows can reference your page via window.opener
  • Prevents cross-origin pages from manipulating your window's properties
  • Combined with COEP, enables full cross-origin isolation in the browser
  • Protects against Spectre-style attacks that exploit shared browsing contexts

Window Reference Attacks#

Without COOP, when your page opens a popup or is opened by another page, a bidirectional reference exists between the two windows. A malicious site that opens your page (or is opened by it) can use this reference to navigate your window, read its URL, or probe for information through side-channel techniques.

  • window.opener gives the opened page a reference back to the opener's window
  • Attackers can use window.open to create a reference to your page
  • Cross-origin references allow navigation of the target window (changing its URL)
  • Side-channel attacks can probe the target window's properties to infer state
Tabnabbing Attack

In a reverse tabnabbing attack, a malicious page opened from your site uses window.opener.location to redirect your page to a phishing site. The user returns to what they think is your site but is actually a login page controlled by the attacker.

COOP Values Explained#

COOP offers three values that control how strictly your page is isolated from other browsing contexts.

  • same-origin: Full isolation. Your page can only share a browsing context with pages from the same origin. All cross-origin window references are severed. Required for cross-origin isolation with COEP.
  • same-origin-allow-popups: Your page is isolated from cross-origin openers, but popups you open can still reference your window. Useful for OAuth flows and payment windows.
  • unsafe-none: No isolation. This is the default browser behavior. Windows can freely reference each other across origins.
MDN: Cross-Origin-Opener-Policy

Implementation Guide#

Choose your COOP value based on whether your application uses popups for authentication, payment processing, or other cross-origin interactions.

OAuth and Payment Flows

If your site uses OAuth login popups (Google, GitHub, etc.) or payment windows (Stripe, PayPal), use same-origin-allow-popups. This allows your page to open popups while still protecting against cross-origin opener attacks.

Configuration
# Apache Header always set Cross-Origin-Opener-Policy "same-origin" # Nginx add_header Cross-Origin-Opener-Policy "same-origin" always; # Node.js / Express app.use((req, res, next) => { res.setHeader('Cross-Origin-Opener-Policy', 'same-origin'); next(); }); # For sites using OAuth popups or payment windows: # Use same-origin-allow-popups instead of same-origin Header always set Cross-Origin-Opener-Policy "same-origin-allow-popups"

Best Practices#

Deploy COOP carefully, considering your application's use of popups and cross-origin window interactions.

  • Use same-origin for maximum security when your site does not rely on cross-origin popups
  • Use same-origin-allow-popups if you use OAuth, payment, or other popup-based flows
  • Deploy alongside COEP for full cross-origin isolation benefits
  • Test popup-based flows (login, payment) thoroughly after enabling COOP
  • Use rel='noopener' on external links as an additional defense against opener attacks
  • Monitor for broken functionality after deployment, especially third-party integrations
web.dev: Cross-origin isolation guide

Implementation Examples#

Same Origin Only

Cross-Origin-Opener-Policy: same-origin

Only allows windows from the same origin to interact

Explanation: This is the most secure option. Only windows from the same origin can interact with your site's window.

Allow Popups

Cross-Origin-Opener-Policy: same-origin-allow-popups

Allows popups but isolates them from the opener

Explanation: This allows popups but prevents them from accessing the opener window, providing a balance between functionality and security.

Unsafe None

Cross-Origin-Opener-Policy: unsafe-none

No cross-origin isolation (default behavior)

Explanation: This is the default behavior without COOP. No cross-origin isolation is provided.

Key Directives#

same-origin

Only allows windows from the same origin to interact

same-origin

same-origin-allow-popups

Allows popups but isolates them from the opener

same-origin-allow-popups

unsafe-none

No cross-origin isolation (default behavior)

unsafe-none

References#

Cross-Origin-Opener-Policy(MDN Web Docs)Making your website cross-origin isolated(web.dev)
Was this helpful?
Share

Test Your Cross-Origin-Opener-Policy Configuration

Scan your site to check if Cross-Origin-Opener-Policy is properly configured.

Scan Your WebsiteAdvanced Security Headers Guide