You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.
COOP will process-isolate your document and potential attackers can't access your global object if they were to open it in a popup, preventing a set of cross-origin attacks dubbed XS-Leaks.
If a cross-origin document with COOP is opened in a new window, the opening document will not have a reference to it, and the window.opener property of the new window will be null. This allows you to have more control over references to a window than rel=noopener, which only affects outgoing navigations.
OWASP recommended value (as of May 11th, 2023): Cross-Origin-Opener-Policy: same-origin
This value means that "Isolates the browsing context exclusively to same-origin documents. Cross-origin documents are not loaded in the same browsing context."
10k ft View
Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
OWASP recommended value (as of May 11th, 2023):
Cross-Origin-Opener-Policy: same-origin
This value means that "Isolates the browsing context exclusively to same-origin documents. Cross-origin documents are not loaded in the same browsing context."
Resources
The text was updated successfully, but these errors were encountered: