securityheaders.fyi
Cross-origin isolation

Cross-Origin-Opener-Policy

Build a config with this header →

COOP severs the link between your page and any cross-origin window that opened it (or that it opens), so they can't reference each other via window.opener. same-origin gives the strongest isolation and, paired with COEP, enables crossOriginIsolated (needed for SharedArrayBuffer and precise timers) while mitigating Spectre-style cross-origin leaks. Use same-origin-allow-popups if you rely on OAuth-style popups. MDN

Example

Cross-Origin-Opener-Policy: same-origin

Options

OptionTypeDefaultNotes
value select (same-origin / same-origin-allow-popups / unsafe-none) same-origin

Scoring

Contributes up to 3 points to your grade (a bonus header — not required for an A+).

Full specification on MDN ↗