Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 266

Cross-Origin Opener Policy (COOP)

Reviewed byCybersecurity entrepreneur & security researcher

What is Cross-Origin Opener Policy (COOP)?

Cross-Origin Opener Policy (COOP)An HTTP response header that lets a document opt into a process-isolated browsing context group, preventing cross-origin windows from inspecting or manipulating it via `window.opener` and friends.


Cross-Origin Opener Policy is a browser security header (Cross-Origin-Opener-Policy) that controls whether a top-level document shares a browsing-context group with cross-origin openers and pop-ups. Values are unsafe-none (the default, fully shared), same-origin-allow-popups (isolates the document but lets it open cross-origin pop-ups), and same-origin (full isolation). With same-origin, the browser severs the window.opener reference for cross-origin navigations, preventing attacks such as XS-Leaks that rely on probing properties of a sibling tab. COOP is also a precondition for the cross-origin isolated state, which together with COEP (Cross-Origin-Embedder-Policy: require-corp) unlocks SharedArrayBuffer, high-resolution timers, and other features that were restricted in the wake of Spectre. Most security-sensitive sites set Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Embedder-Policy: require-corp together.

Examples

  1. 01

    An authenticated dashboard sets `Cross-Origin-Opener-Policy: same-origin` so that any window opened from an attacker site cannot read its `window` object after navigation.

  2. 02

    A WASM-heavy app enables COOP and COEP together to qualify for cross-origin isolation and regain access to `SharedArrayBuffer`.

Frequently asked questions

What is Cross-Origin Opener Policy (COOP)?

An HTTP response header that lets a document opt into a process-isolated browsing context group, preventing cross-origin windows from inspecting or manipulating it via `window.opener` and friends. It belongs to the Application Security category of cybersecurity.

What does Cross-Origin Opener Policy (COOP) mean?

An HTTP response header that lets a document opt into a process-isolated browsing context group, preventing cross-origin windows from inspecting or manipulating it via `window.opener` and friends.

How do you defend against Cross-Origin Opener Policy (COOP)?

Defences for Cross-Origin Opener Policy (COOP) typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for Cross-Origin Opener Policy (COOP)?

Common alternative names include: COOP.

Related terms

See also