Free Tool

Free Cross-Origin-Opener-Policy (COOP) Checker

Check whether a website sets Cross-Origin-Opener-Policy to isolate its browsing context from cross origin windows.

Free and instant. No account or signup needed.

What Cross-Origin-Opener-Policy does

Cross-Origin-Opener-Policy, or COOP, controls whether your page shares a browsing context group with the windows it opens and the windows that open it. A browsing context group is a set of tabs, popups, and frames that can hold live references to each other through properties like window.opener. When pages from different origins sit in the same group, one can reach into the other and probe or manipulate it. COOP lets you break that link by placing your page in a group of its own.

Setting Cross-Origin-Opener-Policy to same-origin tells the browser to give your page a fresh browsing context group whenever the document on the other side does not match your origin. Other origins that open your page lose their window reference, and a page you open in a popup is severed too unless it shares your origin. That isolation shuts down cross window attacks. Tabnabbing, where a page you opened silently rewrites your original tab through window.opener, stops working. It also removes a path that Spectre style side channel attacks use to read memory across origins inside a shared process.

COOP and cross origin isolation

COOP is also one half of cross origin isolation, the state a page needs before the browser will hand it powerful features such as SharedArrayBuffer and high precision timers. A page becomes cross origin isolated only when it sends Cross-Origin-Opener-Policy: same-origin together with Cross-Origin-Embedder-Policy: require-corp. Send COOP on your top level HTML responses, and if popups or OAuth flows break, try same-origin-allow-popups, which keeps the protection while letting your own popups stay connected. When you are ready to confirm both headers line up, the cross-origin isolation checker tells you whether your page qualifies.

Frequently asked questions

What is a COOP checker?

A COOP checker inspects the Cross-Origin-Opener-Policy header a website returns, then tells you whether the page isolates its browsing context from cross origin windows. SiteSecurityScore checks this live by scanning the URL you enter.

What does Cross-Origin-Opener-Policy: same-origin do?

It places your page in its own browsing context group, so windows opened from other origins, and windows that open your page, cannot keep a usable reference to it. That cuts off cross window attacks like tabnabbing and helps block Spectre style side channel reads.

Why does COOP matter for cross origin isolation?

Cross origin isolation unlocks powerful features like SharedArrayBuffer and high resolution timers. A page only becomes cross origin isolated when it sends both Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Embedder-Policy: require-corp, so COOP is half of that requirement.

How do I fix a missing COOP header?

Send Cross-Origin-Opener-Policy: same-origin on your top level HTML responses. If you rely on popups or OAuth flows from other origins, test same-origin-allow-popups instead, which keeps the isolation while letting your own popups stay connected.

Does this checker scan a live site?

Yes. Enter a URL and SiteSecurityScore fetches the live response, reads the Cross-Origin-Opener-Policy header, and reports what it found in seconds. No account or signup is required.

Related tools

COEP CheckerCross-Origin Isolation CheckerCross-Origin-Opener-Policy guide

Check every layer in one scan

This checker covers one piece. Run a full SiteSecurityScore scan for your security headers, CSP, TLS, DNS, and cookies with a letter grade and copy and paste fixes. No account required.

Run a full scan