Missing cross-origin opener policy (COOP) #1253
Description
The Cross-Origin-Opener-Policy (COOP) header allows developers to declare that loaded pages should
be process-isolated in browsers and allows references such as window.opener in the page that caused
resource loading (e.g., an iframe ancestor or pop-up window opener) to be null. This can prevent some
cross-origin side-channel attacks.
Recommendation:
Set Cross-Origin-Opener-Policy: same-origin on all responses, except on pages that specifically
require the window.opener property on other documents or that must be referred to using the
window.opener property.