Cross-Origin Opener Policy (COOP).

An HTTP response header that lets a document opt into a process-isolated browsing context group, preventing cross-origin windows from inspecting or manipulating it via `window.opener` and friends. Es gehört zur Kategorie Anwendungssicherheit der Cybersicherheit.

An HTTP response header that lets a document opt into a process-isolated browsing context group, preventing cross-origin windows from inspecting or manipulating it via `window.opener` and friends.

Cross-Origin Opener Policy is a browser security header (`Cross-Origin-Opener-Policy`) that controls whether a top-level document shares a browsing-context group with cross-origin openers and pop-ups. Values are `unsafe-none` (the default, fully shared), `same-origin-allow-popups` (isolates the document but lets it open cross-origin pop-ups), and `same-origin` (full isolation). With `same-origin`, the browser severs the `window.opener` reference for cross-origin navigations, preventing attacks such as XS-Leaks that rely on probing properties of a sibling tab. COOP is also a precondition for the cross-origin isolated state, which together with COEP (`Cross-Origin-Embedder-Policy: require-corp`) unlocks `SharedArrayBuffer`, high-resolution timers, and other features that were restricted in the wake of Spectre. Most security-sensitive sites set `Cross-Origin-Opener-Policy: same-origin` and `Cross-Origin-Embedder-Policy: require-corp` together.

Schutzmaßnahmen gegen Cross-Origin Opener Policy (COOP) kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.

Übliche alternative Bezeichnungen: COOP.