Security headers · Check

Cross-Origin-Opener-Policy missing — isolating window references

Cross-Origin-Opener-Policy (COOP) controls whether a window opened from your origin can keep a reference to the opener — and vice versa. Without it, cross-origin windows share an opener relationship that subverts process isolation and complicates Spectre-class mitigations.

Why it matters

Setting `Cross-Origin-Opener-Policy: same-origin` (or `same-origin-allow-popups` if your flows need cross-origin popups) is also a prerequisite for advanced isolation features like SharedArrayBuffer.

Real-world risk

Cross-origin windows can keep stronger opener relationships, which weakens isolation and increases cross-window abuse risk in complex app flows.

Fix steps (in order)

If compatible with popups, set Cross-Origin-Opener-Policy: same-origin
If you need cross-origin window.opener, consider same-origin-allow-popups after testing.

Topic explainer

CORS explained: how cross-origin requests actually work →

A practical explainer of CORS — same-origin policy, preflight requests, the headers that matter, and the configurations that quietly break security.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (missing_coop) clears once the externally-observable signal is in place.

Run a free scan Methodology