HTTPREF
← Back to headers

HTTP Header

Cross-Origin-Opener-Policy

Security

Controls whether a top-level document can share its browsing context group with cross-origin documents.

HTTP header reference, syntax, examples, and developer usage.

What is the Cross-Origin-Opener-Policy header?

The Cross-Origin-Opener-Policy HTTP header is used to transmit metadata between a client and server as part of HTTP requests or responses.

HTTP headers define how content should be interpreted, cached, authenticated, secured, or processed by browsers and APIs.

Direction

This header may appear in both HTTP requests and responses.

Syntax

Cross-Origin-Opener-Policy: unsafe-none | same-origin | same-origin-allow-popups | same-origin-plus-coep

Example

Cross-Origin-Opener-Policy: same-origin

Common use cases

  • Isolating a document from cross-origin windows
  • Reducing cross-window attack surfaces
  • Working together with COEP to enable cross-origin isolation

Common mistakes

  • Using the header in the wrong request or response context
  • Sending invalid header values
  • Incorrect header syntax
  • Assuming the header automatically changes server behaviour

Practical developer insight

COOP helps isolate a page from other browsing contexts such as cross-origin popups or tabs. It is often deployed together with COEP to enable cross-origin isolation and strengthen browser security boundaries.

Related headers

cross-origin-embedder-policycross-origin-resource-policycontent-security-policy