COOP and COEP โ Cross-Origin Isolation
Last updated: April 2026
COOP (Cross-Origin-Opener-Policy) and COEP (Cross-Origin-Embedder-Policy) are HTTP headers that enable cross-origin isolation โ a browser security mode required for SharedArrayBuffer and high-resolution performance timers.
Cross-Origin-Opener-Policy (COOP)
Controls whether your page shares a browsing context group with cross-origin pages. This affects whether popups can use window.opener to communicate with your page.
# Isolates your page from cross-origin windows (most secure) Cross-Origin-Opener-Policy: same-origin # Allows popups but isolates opener references (good for OAuth) Cross-Origin-Opener-Policy: same-origin-allow-popups # No isolation (default browser behaviour) Cross-Origin-Opener-Policy: unsafe-none
Cross-Origin-Embedder-Policy (COEP)
Requires all subresources to opt in to cross-origin loading via Cross-Origin-Resource-Policy or CORS.
# Require all subresources to opt in Cross-Origin-Embedder-Policy: require-corp # Credentialless โ loads cross-origin resources without cookies Cross-Origin-Embedder-Policy: credentialless
Enable cross-origin isolation (SharedArrayBuffer)
# Both headers required together Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp # Check if cross-origin isolated in JS: console.log(self.crossOriginIsolated); // true if both headers set
Fix COOP breaking OAuth popups
# Use same-origin-allow-popups instead of same-origin Cross-Origin-Opener-Policy: same-origin-allow-popups