Cross-Origin-Opener-Policy

Enabled Ensure a top-level document does not share a browsing context group with cross-origin documents.


The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents. COOP will process-isolate your document and potential attackers can't access your global object if they were to open it in a popup, preventing a set of cross-origin attacks dubbed XS-Leaks.

ℹ Read more about this header here.

This header should be configured with COEP

Usage

This header is enabled by default but you can change its behavior like following.

export default defineNuxtConfig({  // Global  security: {    headers: {      crossOriginEmbedderPolicy: <OPTIONS>,    },  },  // Per route  routeRules: {    '/custom-route': {      headers: {        'Cross-Origin-Opener-Policy': <OPTIONS>      },    }  }})

You can also disable this header by crossOriginEmbedderPolicy: false.

Default value

By default, Nuxt Security will set following value for this header.

Cross-Origin-Opener-Policy: same-origin

Available values

The crossOriginEmbedderPolicy header can be configured with following values.

crossOriginOpenerPolicy: 'unsafe-none' | 'same-origin-allow-popups' | 'same-origin' | false

unsafe-none

This is the default value. Allows the document to be added to its opener's browsing context group unless the opener itself has a COOP of same-origin or same-origin-allow-popups.

same-origin-allow-popups

Retains references to newly opened windows or tabs that either don't set COOP or that opt out of isolation by setting a COOP of unsafe-none.

same-origin

Isolates the browsing context exclusively to same-origin documents. Cross-origin documents are not loaded in the same browsing context.