%20--%3e%3csvg%20version='1.1'%20id='Layer_1'%20xmlns='http://www.w3.org/2000/svg'%20xmlns:xlink='http://www.w3.org/1999/xlink'%20x='0px'%20y='0px'%20viewBox='0%200%20120.17%2045.43'%20style='enable-background:new%200%200%20120.17%2045.43;'%20xml:space='preserve'%3e%3cg%3e%3cpath%20d='M32.33,0v16.13c0,2.21-0.42,4.3-1.26,6.26c-0.84,1.97-2,3.7-3.49,5.18c-1.49,1.49-3.2,2.65-5.15,3.49%20c-1.94,0.84-4.04,1.26-6.3,1.26c-2.21,0-4.3-0.42-6.26-1.26c-1.97-0.84-3.68-2-5.15-3.49c-1.46-1.49-2.62-3.21-3.46-5.18%20C0.42,20.42,0,18.34,0,16.13V0h6.41v16.13c0,1.34,0.25,2.62,0.76,3.82c0.5,1.2,1.2,2.24,2.09,3.13c0.89,0.89,1.92,1.58,3.1,2.09%20c1.18,0.5,2.44,0.76,3.78,0.76c1.34,0,2.62-0.25,3.82-0.76c1.2-0.5,2.24-1.2,3.13-2.09c0.89-0.89,1.58-1.93,2.09-3.13%20c0.5-1.2,0.76-2.47,0.76-3.82V0H32.33z'%20fill='%232563eb'%20/%3e%3cpath%20d='M50.4,0.14c2.26,0,4.36,0.42,6.3,1.26c1.94,0.84,3.66,1.99,5.15,3.46c1.49,1.46,2.65,3.17,3.49,5.11%20c0.84,1.94,1.26,4.04,1.26,6.3c0,2.21-0.42,4.3-1.26,6.26c-0.84,1.97-2,3.7-3.49,5.18c-1.49,1.49-3.2,2.65-5.15,3.49%20c-1.94,0.84-4.04,1.26-6.3,1.26h-9.72v12.96h-6.41V16.27c0-2.26,0.42-4.36,1.26-6.3c0.84-1.94,1.99-3.65,3.46-5.11%20c1.46-1.46,3.18-2.62,5.15-3.46C46.1,0.56,48.19,0.14,50.4,0.14z%20M54.22,25.31c1.2-0.5,2.24-1.2,3.13-2.09%20c0.89-0.89,1.58-1.93,2.09-3.13c0.5-1.2,0.76-2.47,0.76-3.82c0-1.34-0.25-2.6-0.76-3.78c-0.5-1.18-1.2-2.21-2.09-3.1%20c-0.89-0.89-1.93-1.58-3.13-2.09c-1.2-0.5-2.47-0.76-3.82-0.76c-1.34,0-2.6,0.25-3.78,0.76c-1.18,0.5-2.21,1.2-3.1,2.09%20c-0.89,0.89-1.58,1.92-2.09,3.1c-0.5,1.18-0.76,2.44-0.76,3.78v9.79h9.72C51.74,26.06,53.02,25.81,54.22,25.31z'%20fill='%232563eb'/%3e%3cpath%20d='M94.03,20.95l4.54,4.54l-2.23,2.23c-1.54,1.54-3.29,2.71-5.26,3.53c-1.97,0.82-4.03,1.22-6.19,1.22%20c-2.16,0-4.22-0.41-6.19-1.22c-1.97-0.82-3.72-1.99-5.26-3.53c-1.58-1.58-2.76-3.37-3.53-5.36c-0.77-1.99-1.15-4.02-1.15-6.08%20c0-2.06,0.38-4.08,1.15-6.05c0.77-1.97,1.94-3.74,3.53-5.33s3.37-2.77,5.36-3.56c1.99-0.79,4.02-1.19,6.08-1.19%20c2.06,0,4.09,0.4,6.08,1.19c1.99,0.79,3.78,1.98,5.36,3.56l2.23,2.23L80.64,25.06c1.82,0.91,3.75,1.21,5.8,0.9%20c2.04-0.31,3.83-1.24,5.36-2.77L94.03,20.95z%20M77.98,9.36c-1.92,1.92-2.88,4.22-2.88,6.91c0,1.49,0.33,2.9,1.01,4.25%20c0.58-0.58,1.45-1.45,2.63-2.63c1.18-1.18,2.42-2.42,3.74-3.74c1.32-1.32,2.59-2.58,3.82-3.78c1.22-1.2,2.17-2.14,2.84-2.81%20c-1.83-0.91-3.76-1.22-5.8-0.94C81.3,6.91,79.51,7.82,77.98,9.36z'%20fill='%232563eb'%20/%3e%3cpath%20d='M120.17,0v6.41h-3.24c-1.35,0-2.61,0.25-3.78,0.76c-1.18,0.5-2.21,1.2-3.1,2.09c-0.89,0.89-1.58,1.92-2.09,3.1%20c-0.5,1.18-0.76,2.44-0.76,3.78v16.2h-6.48v-16.2c0-2.26,0.42-4.36,1.26-6.3c0.84-1.94,2-3.65,3.49-5.11%20c1.49-1.46,3.21-2.62,5.18-3.46c1.97-0.84,4.06-1.26,6.27-1.26H120.17z'%20fill='%232563eb'/%3e%3c/g%3e%3c/svg%3e){kind=small}
Three HTTP headers — Cross-Origin-Opener-Policy (COOP), Cross-Origin-Embedder-Policy (COEP) and Cross-Origin-Resource-Policy (CORP) — together form a mechanism called cross-origin isolation. Configured correctly, they protect your site against Spectre-style attacks and tabnapping, and unlock SharedArrayBuffer and high-resolution timers. Configured incorrectly, they silently break YouTube embeds, Stripe Checkout, and Google Sign-In. This guide shows how to set them up right.
TL;DR — three headers in 60 seconds
| Header | What it controls | When to set it |
|---|---|---|
| COOP | Whether other windows/popups can access your window | Always — protects against tabnapping |
| COEP | Whether your page can load subresources without consent | Only if you need SharedArrayBuffer or crossOriginIsolated |
| CORP | Who can load your resources (images, scripts) | On resources you host for other sites |
For a typical marketing site / blog, this is enough:
Cross-Origin-Opener-Policy: same-origin-allow-popupsFor a web app that needs SharedArrayBuffer (multithreaded WebAssembly, FFmpeg.wasm, games, video editors):
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corpWhy these headers exist
Spectre (2018)
In January 2018 the Spectre vulnerability was disclosed — a side-channel attack exploiting speculative execution in CPUs. It allowed reading memory from other processes, including other browser tabs. For browsers, this was catastrophic: JavaScript from an ad frame could theoretically read passwords from another tab.
The response was Site Isolation (Chrome) and eventually cross-origin isolation at the HTTP level. Pages that want access to high-resolution timers and shared memory (SharedArrayBuffer) must prove they are isolated from potentially hostile origins.
Tabnapping and opener exploitation
When you open a window via <a target="_blank"> or window.open(), the new window gets access to window.opener. Without protection, this reference lets a malicious page rewrite the parent window’s content (window.opener.location = 'phishing.com'). This is classic tabnapping.
rel="noopener" on links solves the problem for individual links, but COOP solves it at the whole-page level, regardless of how the window was opened. Cross-origin headers are one of many defensive layers — incidents like the 2026 WordPress plugin supply-chain attack show that without defense-in-depth, a single vulnerability can open the door to hundreds of thousands of sites.
COOP — Cross-Origin-Opener-Policy
COOP decides who has access to your window object. Three valid values:
unsafe-none (default)
Cross-Origin-Opener-Policy: unsafe-noneNo isolation. Any page that opens you via window.open() keeps its window.opener reference and can exploit it. Do not use in production — even if you never use popups, you’re leaving the door open to tabnapping.
same-origin-allow-popups (recommended for most sites)
Cross-Origin-Opener-Policy: same-origin-allow-popups- Inbound isolation: other-origin pages opening you lose access to your
window. - Outbound isolation: popups you open keep normal communication with their opener.
This is the sweet spot. You get tabnapping protection without breaking OAuth, sharing, or payment popups. This is what we use on uper.pl.
same-origin (full isolation)
Cross-Origin-Opener-Policy: same-originFull isolation in both directions. No other-origin page has access to your window, and vice versa. This is required to reach crossOriginIsolated === true and unlock SharedArrayBuffer.
The cost: popups from other origins opened from your page immediately lose window.opener. This is exactly what breaks YouTube, Stripe, and Google Sign-In.
Decision table
| Site type | Recommended value |
|---|---|
| Marketing site / blog | same-origin-allow-popups |
| SaaS with embeds (YouTube, Stripe, Intercom) | same-origin-allow-popups |
| SPA with multithreaded WebAssembly | same-origin |
| Video editor / in-browser game | same-origin |
| E-commerce with popup checkout | same-origin-allow-popups |
COEP — Cross-Origin-Embedder-Policy
COEP enforces that every resource loaded by your page from other origins explicitly consents to being embedded by you. This is the second half of the crossOriginIsolated requirement.
unsafe-none (default)
No requirements. Load anything from anywhere.
require-corp
Cross-Origin-Embedder-Policy: require-corpEvery cross-origin resource (image, script, iframe) must either:
- Have a
Cross-Origin-Resource-Policy: cross-originheader (explicit consent), or - Be loaded with CORS (
Access-Control-Allow-Origin).
Otherwise the browser blocks it. This is strict — it will break most CDN and third-party integrations that don’t set CORP/CORS.
credentialless (newer, 2022+)
Cross-Origin-Embedder-Policy: credentiallessA looser variant: instead of requiring CORP/CORS, the browser simply loads resources without cookies or other credentials. For most use cases (images, fonts, public APIs) this is enough, and it requires far fewer changes from third-party providers.
Browser support: Chrome 96+, Firefox 119+. Safari only joined in 2024 — if you support older iOS, have a fallback.
CORP — Cross-Origin-Resource-Policy
The opposite perspective. If you host resources (CDN, image API, fonts for other sites), CORP tells the browser who is allowed to load them.
Values
Cross-Origin-Resource-Policy: same-origin # only your domain
Cross-Origin-Resource-Policy: same-site # your domain and subdomains
Cross-Origin-Resource-Policy: cross-origin # any siteWhen to use which
same-origin— private resources (user data APIs, dashboard images).same-site— resources shared across subdomains (logo onapp.example.comandwww.example.com).cross-origin— public resources that you want others to embed (images for embeds, public fonts, avatar CDN).
If you’re an API provider and your customers complain that their COEP-enabled sites stopped loading your images — you’re missing Cross-Origin-Resource-Policy: cross-origin.
The magic flag: self.crossOriginIsolated
When you set both:
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corpyou get in JavaScript:
self.crossOriginIsolated === trueWhat this unlocks:
SharedArrayBuffer— shared memory across threads (Web Workers). Essential for multithreaded WebAssembly, FFmpeg.wasm, Three.js with Web Workers, emulators. Note: full isolation can degrade LCP because third-party resources need additional CORP/CORS headers and get blocked without them — which slows down first render in practice.performance.measureUserAgentSpecificMemory()— precise memory usage measurement.- High-resolution timers —
performance.now()without intentional coarsening (a Spectre mitigation). Atomics.wait()on the main thread.
For a typical marketing site, none of this matters. For a WebAssembly application, it’s critical.
Real-world problems and fixes
YouTube embed stopped working
Symptom: the video renders, but clicking “Share”, sign-in, or fullscreen (in some browsers) doesn’t work.
Cause: you set Cross-Origin-Opener-Policy: same-origin. The YouTube player opens popups that immediately lose their opener reference.
Fix: switch to same-origin-allow-popups. If you need crossOriginIsolated (e.g. for WASM), move YouTube to a separate page without isolation.
Stripe Checkout popup doesn’t close after payment
Symptom: the user pays, the popup stays open, your site doesn’t know the transaction succeeded.
Cause: Stripe calls window.opener.postMessage() to your site after completion. With COOP: same-origin, the reference is null.
Fix: same-origin-allow-popups, or use Stripe Elements instead of Checkout (renders inside your iframe, not a popup).
Google Sign-In / OAuth callback doesn’t arrive
Symptom: the user signs in in the Google popup, the popup closes, but your app never receives the token.
Cause: same as Stripe — postMessage from the popup hits a null opener.
Fix: same-origin-allow-popups. Alternatively — use Google Identity Services (GIS) with FedCM, which uses a dedicated API instead of popups.
CDN images stop loading after enabling COEP
Symptom: after adding COEP: require-corp, all images from your external CDN (Cloudinary, imgix, Gravatar) fail to load.
Cause: the CDN doesn’t return a Cross-Origin-Resource-Policy: cross-origin header.
Fixes:
- Configure the CDN to add
Cross-Origin-Resource-Policy: cross-originto responses (most have this option). - Load images with
crossorigin="anonymous"and ensure the CDN returnsAccess-Control-Allow-Origin: *. - Use the looser
COEP: credentiallessinstead ofrequire-corp.
Social sharing popup (Twitter/LinkedIn) behaves erratically
Symptom: the “Share on Twitter” popup opens, but interactions inside it are weird or crash.
Cause: COOP: same-origin on your site.
Fix: same-origin-allow-popups.
How to debug
1. Check isolation status
In the DevTools console:
self.crossOriginIsolated
// true = you have full isolation
// false = you don't2. DevTools → Application → Frames
Chrome DevTools → Application tab → Frames section → click your page. You’ll see:
Cross-Origin Isolated: yes/no- Exact COOP, COEP, CORP values
- List of sub-frames and their isolation status
3. Violation reports
You can collect COOP violation reports:
Cross-Origin-Opener-Policy: same-origin; report-to="coop-endpoint"
Reporting-Endpoints: coop-endpoint="https://yourdomain.com/coop-report"You’ll receive JSON describing which frame tried to do something and got blocked. Essential when debugging silent failures.
4. Browser console
COEP blocks show up in the console as:
A resource is blocked by OpaqueResponseBlocking, please check browser console for details.
Failed to load resource: net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoepReady-made configurations
Marketing site / blog (recommended)
Cross-Origin-Opener-Policy: same-origin-allow-popups
Cross-Origin-Resource-Policy: same-siteNo COEP. Protects against tabnapping, doesn’t break any integrations.
E-commerce with external checkout
Cross-Origin-Opener-Policy: same-origin-allow-popups
Cross-Origin-Resource-Policy: same-siteIdentical. The key point — do not use same-origin, because it will kill Stripe/PayPal popups.
SPA with WebAssembly (SharedArrayBuffer)
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-originPlus: every external resource (CDN, fonts, images) must have Cross-Origin-Resource-Policy: cross-origin or CORS.
Public API / CDN provider
Cross-Origin-Resource-Policy: cross-originThat’s it. You’re telling the world: “feel free to use me, even from isolated pages”.
Interaction with other headers
- CSP — orthogonal. CSP controls what you load, COOP/COEP control isolation terms. See the CSP guide for Google services.
- X-Frame-Options — about whether you can be embedded in an iframe. A different category than COOP.
- Referrer-Policy — unrelated.
- HSTS — unrelated. See the complete HTTP security headers guide.
Frequently asked questions about COOP, COEP and CORP
What does same-origin-allow-popups mean in Cross-Origin-Opener-Policy?
It's a COOP value that isolates your page from inbound windows from other origins (tabnapping protection), but lets popups you open keep communication with your page. This is the best value for most marketing sites and apps using third-party integrations (YouTube, Stripe, Google Sign-In).
Why did my YouTube embed stop working after enabling COOP?
You probably set Cross-Origin-Opener-Policy: same-origin (full isolation). The YouTube player opens popups (Share, sign-in, fullscreen) that under full isolation lose their reference to your page, so communication between them fails. Switch to same-origin-allow-popups — you keep tabnapping protection and YouTube works again.
How do I enable SharedArrayBuffer in the browser?
You need to reach crossOriginIsolated === true. This requires setting two HTTP headers simultaneously: Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Embedder-Policy: require-corp. Additionally, every cross-origin resource you load (images, scripts, fonts) must have a Cross-Origin-Resource-Policy: cross-origin header or be loaded with CORS.
What is the difference between COOP, COEP and CORP?
COOP (Cross-Origin-Opener-Policy) protects your window from other pages — it governs tab and popup isolation. COEP (Cross-Origin-Embedder-Policy) enforces that resources you load from other origins explicitly consent. CORP (Cross-Origin-Resource-Policy) is the inverse of COEP — you send it on resources you host to tell the browser who is allowed to load them.
Does a regular blog site need COEP and CORP?
No. For a typical marketing site, blog, or shop, Cross-Origin-Opener-Policy: same-origin-allow-popups is enough. COEP and CORP are only needed when your app uses SharedArrayBuffer, multithreaded WebAssembly, or you host public resources for other sites.
What should I do when my image CDN breaks after enabling COEP?
Three options: (1) configure the CDN to add Cross-Origin-Resource-Policy: cross-origin to responses — most CDNs support this; (2) load images with crossorigin="anonymous" and ensure the CDN returns Access-Control-Allow-Origin: *; (3) use the looser Cross-Origin-Embedder-Policy: credentialless instead of require-corp — it doesn't require changes from third-party providers.
Does setting COOP break Google Analytics or Google Tag Manager?
No. GA4 and GTM communicate via fetch/XHR, not popups, so no COOP value will break them. Problems only appear with interactions that open new windows: Google Sign-In, Stripe Checkout, social sharing. See also the CSP guide for Google services.
What is credentialless in Cross-Origin-Embedder-Policy?
It's a newer, looser COEP value (Chrome 96+, Firefox 119+, Safari 2024+). Instead of requiring external resources to explicitly consent via CORP or CORS, the browser simply loads them without cookies or other credentials. For public resources (images, fonts, public APIs) this is enough, and it requires far fewer changes from third-party providers.
Check your cross-origin isolation with UPER SEO Auditor
Diagnosing silent COOP/COEP failures is painful — the symptoms are weird popup behavior and broken OAuth, not clean error messages. The Security tab in UPER SEO Auditor (Chrome extension) shows all three headers for the current page:
- Cross-Origin-Opener-Policy — current value and whether it matches a sensible default
- Cross-Origin-Embedder-Policy — detected or missing, including
credentiallesssupport - Cross-Origin-Resource-Policy — for resources served by the page itself
All three feed into a weighted 0-10 security score alongside HSTS, CSP, X-Frame-Options, Referrer-Policy and Permissions-Policy. Install it, open the Security tab, and you’ll see your real production headers without touching the terminal.
Summary
For 95% of sites, the only header from this trio you need is:
Cross-Origin-Opener-Policy: same-origin-allow-popupsIt protects against tabnapping and doesn’t break anything. COEP and CORP are only needed if you host resources for others or your app uses SharedArrayBuffer.
If you already deployed full isolation (same-origin + require-corp) and suddenly notice silent popup failures — switch back to same-origin-allow-popups. The security cost is minimal, the functionality cost is huge.
