← Back to Security Headers

Cross-Origin-Opener-Policy

Isolates your browsing context from cross-origin documents.

COOP

Purpose

Prevents cross-origin attacks by isolating window contexts.

Implementation

Set to same-origin or require-corp:

```
Cross-Origin-Opener-Policy: same-origin
```

Examples

same-origin
require-corp
unsafe-none

Best Practices

✓Use same-origin for maximum isolation
✓Coordinate with COEP if using require-corp
✓Test cross-origin window communication

Common Mistakes

✗Not setting the header
✗Breaking legitimate cross-origin features
✗Incompatible with existing integrations

Related Headers

Cross-Origin-Embedder-Policy Cross-Origin-Resource-Policy

References

MDN Web Docs →

Test Your Configuration

Run a free security scan to check if COOP is properly configured on your site.