Cross-Origin-Opener-Policy

Enabled Ensure a top-level document does not share a browsing context group with cross-origin documents.


The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents. COOP will process-isolate your document and potential attackers can't access your global object if they were to open it in a popup, preventing a set of cross-origin attacks dubbed XS-Leaks.

ℹ Read more about this header here.

This header should be configured with COEP

Usage

This header is enabled by default but you can change its behavior like following.

export default defineNuxtConfig({
  // Global
  security: {
    headers: {
      crossOriginOpenerPolicy: <OPTIONS>,
    },
  },

  // Per route
  routeRules: {
    '/custom-route': {
      security: {
        headers: {
          crossOriginOpenerPolicy: <OPTIONS>,
        },
      },
    }
  }
})

You can also disable this header by crossOriginOpenerPolicy: false.

Default value

By default, Nuxt Security will set the following value for this header.

Cross-Origin-Opener-Policy: same-origin

Available values

The crossOriginOpenerPolicy header can be configured with following values.

crossOriginOpenerPolicy: 'unsafe-none' | 'same-origin-allow-popups' | 'same-origin' | false

unsafe-none

This is the default value. Allows the document to be added to its opener's browsing context group unless the opener itself has a COOP of same-origin or same-origin-allow-popups.

same-origin-allow-popups

Retains references to newly opened windows or tabs that either don't set COOP or that opt out of isolation by setting a COOP of unsafe-none.

same-origin

Isolates the browsing context exclusively to same-origin documents. Cross-origin documents are not loaded in the same browsing context.