← Back to release summary

noopener-allow-popups COOP value

Category

Security

Type

New or changed feature

Status

Enabled by default (Chrome 131)

Intent stage

None

Summary

Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application. In such cases, it can be beneficial for a document to ensure its opener cannot script it, even if the opener document is a same-origin one. The `noopener-allow-popups` Cross-Origin-Opener-Policy value will allow documents to define that.

Motivation

Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application. In such cases, it can be beneficial for a document to ensure its opener cannot script it, even if the opener document is a same-origin one.

Standards & signals

• Specification: https://github.com/whatwg/html/pull/10394
• Firefox: No signal
• Safari: Support
• Web developers: No signals
• Tracking bug: https://issues.chromium.org/issues/344963946

Explainers: https://gist.github.com/yoavweiss/c7b61e97e6f8d207be619f87ab96ead5

View on chromestatus.com