COOP and COEP (Cross-Origin Isolation)
Two headers that enable cross-origin isolation, required for SharedArrayBuffer and high-resolution timers.
Cross-Origin-Opener-Policy (COOP) defines whether your document shares a browsing context group with cross-origin windows—same-origin isolates you from foreign window references. Cross-Origin-Embedder-Policy (COEP) requires cross-origin resources to explicitly opt in (Cross-Origin-Resource-Policy or CORS) before they load in an isolated page. Together they put the page in a mode where the platform exposes sharper timing and shared memory—power users only.
Why developers care
Without isolation, SharedArrayBuffer stays disabled in many browsers, and WebAssembly pthreads or certain media pipelines stall. Isolation also moves the security posture closer to Spectre mitigations at the cost of breaking naïve third-party embeds that lack CORP headers. You enable these only when you need the APIs or explicit isolation guarantees.