Security headers · Check

COOP set to unsafe-none — opting out of opener isolation

Setting `Cross-Origin-Opener-Policy: unsafe-none` explicitly disables opener isolation, leaving you fully reliant on other layers for window-related abuse. Replace it with `same-origin` or `same-origin-allow-popups` if your popup flows allow.

Real-world risk

Explicit unsafe-none opts out of opener isolation; you rely entirely on other layers for window-related abuse.

Fix steps (in order)

Replace Cross-Origin-Opener-Policy: unsafe-none with same-origin or same-origin-allow-popups if workflows allow.

Topic explainer

CORS explained: how cross-origin requests actually work →

A practical explainer of CORS — same-origin policy, preflight requests, the headers that matter, and the configurations that quietly break security.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (coop_unsafe_none) clears once the externally-observable signal is in place.

Run a free scan Methodology