Missing Cross-Origin Isolation (COOP, COEP, CORP)

COOP, COEP, and CORP are three related headers that together put your page into a "cross-origin isolated" state, blocking Spectre-class side-channel attacks and enabling `SharedArrayBuffer` and high-resolution timers.

Business risk

Without COOP, a malicious popup opener can use `window.opener` references to probe your origin and run timing attacks. Without COEP and CORP, your page can embed or be embedded by arbitrary cross-origin documents that use pixel-reading, font-metrics, or `performance.now()` precision to leak data across origin boundaries. Sites that need SharedArrayBuffer (WebAssembly threads, video transcoding, certain cryptography) are blocked from doing so until isolation is active.

Technical details

The canonical isolated set is `COOP: same-origin` + `COEP: require-corp` + every response carrying a `CORP` header. If third-party CDN assets break under `require-corp` (they don't return CORP), switch COEP to `credentialless` (Chrome 96+, Firefox 119+), which strips credentials from cross-origin loads instead of requiring opt-in. Verify with `self.crossOriginIsolated === true` in the browser console.

How to detect it

Isolation requires all three headers cooperating: `Cross-Origin-Opener-Policy`, `Cross-Origin-Embedder-Policy`, and `Cross-Origin-Resource-Policy` on every resource. The definitive check is `self.crossOriginIsolated === true` in the browser console on the page you care about.

curl -sI https://yourdomain.com | grep -iE "cross-origin-(opener|embedder|resource)-policy"

Browser DevTools Console: self.crossOriginIsolated  // must return true

DevTools → Network → filter blocked-by-response  // shows what COEP blocks

Common pitfalls

• !Enabling `require-corp` globally without auditing third-party assets. Every CDN image, embedded video, and analytics script must return its own CORP header. Those that do not will be blocked silently.
• !Picking `unsafe-none` for COOP. That value disables opener isolation entirely - it is the old default, not a safe choice. Use `same-origin` for full isolation or `same-origin-allow-popups` if you need `window.open()` to work with third parties.
• !Not switching to `credentialless` when CDN assets break. If `require-corp` is too strict, `Cross-Origin-Embedder-Policy: credentialless` (Chrome 96+, Firefox 119+) preserves isolation without requiring every resource to ship CORP.
• !Forgetting that `SharedArrayBuffer` gating is the only reason most teams enable this. If you do not use `SharedArrayBuffer`, high-resolution timers, or WebAssembly threading, the complexity may not be worth the isolation.
• !Shipping to production without a staging rollout. COEP errors block subresources entirely. Use `Cross-Origin-Embedder-Policy-Report-Only` first, collect reports, then enforce.

Remediation guide

Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-origin

External references

• web.dev: Cross-Origin Isolation Guide
• MDN: Cross-Origin-Opener-Policy
• MDN: Cross-Origin-Resource-Policy

Frequently asked questions

Keep going

Verify your fix

Applied the configuration change? Run a live scan to confirm the vulnerability is patched.