/ HTTP Headers


The Cross-Origin-Opener-Policy (COOP) HTTP header is a security feature that provides a way to isolate your website from other potentially malicious websites. This header allows you to control the behavior of windows or tabs that are opened by your website, and restrict their interaction with other origins.

Purpose of Cross-Origin-Opener-Policy

The primary goal of the COOP header is to prevent cross-origin attacks, such as Spectre, that exploit the shared resources of a browser. By isolating your website’s browsing context, you can protect sensitive information from being accessed by attackers through cross-origin interactions.

Using the Cross-Origin-Opener-Policy Header

To implement the COOP header, you need to include it in the HTTP response of your website. The header’s value determines the level of isolation applied to the browsing context.

COOP Header Values

There are three possible values for the Cross-Origin-Opener-Policy header:

  1. unsafe-none (default): This value allows all browsing contexts to interact with your website, without any restrictions. It does not provide any isolation.
  2. same-origin: This value isolates your website from other origins but allows interaction with browsing contexts that have the same origin. It provides a moderate level of isolation.
  3. same-origin-allow-popups: This value isolates your website from other origins, similar to same-origin. However, it also allows your website to open pop-up windows that can interact with your origin. This provides a balance between isolation and functionality.

Example: Implementing the COOP Header

To include the COOP header in your website’s HTTP response, you can add the following line to your server configuration:

For an Apache server, add this line to your .htaccess file:

Header set Cross-Origin-Opener-Policy "same-origin"

For an Nginx server, add this line to your server block:

add_header Cross-Origin-Opener-Policy same-origin;

In this example, we set the COOP header value to same-origin, which isolates the browsing context from other origins.

Sample Request and Response

Here’s a sample HTTP request and response that includes the Cross-Origin-Opener-Policy header:


GET /index.html HTTP/1.1
Host: example.com


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Cross-Origin-Opener-Policy: same-origin

In this example, the server responds with the COOP header set to same-origin, which isolates the browsing context from cross-origin interactions.

Compatibility and Best Practices

It’s important to note that not all browsers support the Cross-Origin-Opener-Policy header. As of writing this page, COOP is supported in Chrome, Edge, and Firefox. To ensure the best possible security for your website, it’s recommended to combine the use of COOP with other security headers, such as Content Security Policy (CSP) and Cross-Origin Resource Sharing (CORS).

When implementing COOP, be aware that it can potentially break some website features that rely on cross-origin interactions. Therefore, it’s crucial to thoroughly test your website’s functionality after adding the COOP header.


The Cross-Origin-Opener-Policy header is a valuable security feature that helps protect your website from cross-origin attacks by isolating its browsing context. By understanding the different values and implementing the header correctly, you can enhance the security of your website while maintaining its functionality. Remember to combine COOP with other security headers and test your website thoroughly to ensure the best possible protection.

Was this helpful?

Thanks for your feedback!