Cross-Origin Opener Policy (COOP)
Cross-Origin Opener Policy (COOP) とは何ですか?
Cross-Origin Opener Policy (COOP)An HTTP response header that lets a document opt into a process-isolated browsing context group, preventing cross-origin windows from inspecting or manipulating it via `window.opener` and friends.
Cross-Origin Opener Policy is a browser security header (`Cross-Origin-Opener-Policy`) that controls whether a top-level document shares a browsing-context group with cross-origin openers and pop-ups. Values are `unsafe-none` (the default, fully shared), `same-origin-allow-popups` (isolates the document but lets it open cross-origin pop-ups), and `same-origin` (full isolation). With `same-origin`, the browser severs the `window.opener` reference for cross-origin navigations, preventing attacks such as XS-Leaks that rely on probing properties of a sibling tab. COOP is also a precondition for the cross-origin isolated state, which together with COEP (`Cross-Origin-Embedder-Policy: require-corp`) unlocks `SharedArrayBuffer`, high-resolution timers, and other features that were restricted in the wake of Spectre. Most security-sensitive sites set `Cross-Origin-Opener-Policy: same-origin` and `Cross-Origin-Embedder-Policy: require-corp` together.
● 例
- 01
An authenticated dashboard sets `Cross-Origin-Opener-Policy: same-origin` so that any window opened from an attacker site cannot read its `window` object after navigation.
- 02
A WASM-heavy app enables COOP and COEP together to qualify for cross-origin isolation and regain access to `SharedArrayBuffer`.
● よくある質問
Cross-Origin Opener Policy (COOP) とは何ですか?
An HTTP response header that lets a document opt into a process-isolated browsing context group, preventing cross-origin windows from inspecting or manipulating it via `window.opener` and friends. サイバーセキュリティの アプリケーションセキュリティ カテゴリに属します。
Cross-Origin Opener Policy (COOP) とはどういう意味ですか?
An HTTP response header that lets a document opt into a process-isolated browsing context group, preventing cross-origin windows from inspecting or manipulating it via `window.opener` and friends.
Cross-Origin Opener Policy (COOP) はどのように機能しますか?
Cross-Origin Opener Policy is a browser security header (`Cross-Origin-Opener-Policy`) that controls whether a top-level document shares a browsing-context group with cross-origin openers and pop-ups. Values are `unsafe-none` (the default, fully shared), `same-origin-allow-popups` (isolates the document but lets it open cross-origin pop-ups), and `same-origin` (full isolation). With `same-origin`, the browser severs the `window.opener` reference for cross-origin navigations, preventing attacks such as XS-Leaks that rely on probing properties of a sibling tab. COOP is also a precondition for the cross-origin isolated state, which together with COEP (`Cross-Origin-Embedder-Policy: require-corp`) unlocks `SharedArrayBuffer`, high-resolution timers, and other features that were restricted in the wake of Spectre. Most security-sensitive sites set `Cross-Origin-Opener-Policy: same-origin` and `Cross-Origin-Embedder-Policy: require-corp` together.
Cross-Origin Opener Policy (COOP) からどのように防御しますか?
Cross-Origin Opener Policy (COOP) に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。
Cross-Origin Opener Policy (COOP) の別名は何ですか?
一般的な別名: COOP。
● 関連用語
- appsec№ 262
Cross-Origin Embedder Policy (COEP)
An HTTP response header that forces every cross-origin subresource a document loads to explicitly opt in via CORS or CORP, completing the cross-origin isolation prerequisites alongside COOP.
- appsec№ 237
コンテンツセキュリティポリシー (CSP)
スクリプト・スタイル・フレームなどの読み込み元をブラウザに指示する HTTP レスポンスヘッダで、XSS やデータ注入攻撃の影響を抑える。
- appsec№ 552
HTTP セキュリティヘッダ
HTTPS 強制・フレーム制限・コンテンツポリシー・リファラ制御などの防御動作をブラウザに指示するレスポンスヘッダ群。
- appsec№ 1071
同一オリジンポリシー (SOP)
あるオリジンから読み込まれた文書やスクリプトが、別のオリジンのリソースとどのように相互作用できるかを制限するブラウザのセキュリティ規則。
- appsec№ 1164
サイト分離
異なるサイトのドキュメントを別々の OS プロセスに割り当て、侵害された描画プロセスからクロスサイトのデータを読み取れないようにする Chromium のセキュリティ機構。
- vulnerabilities№ 1192
Spectre
CPU の投機的実行を悪用し、キャッシュベースのサイドチャネルを介してセキュリティ境界を越えてデータを漏えいさせるマイクロアーキテクチャ攻撃の総称。
● 関連項目
- № 911Permissions-Policy