InspectWP Logo
Glossary

What is Cross-Origin-Opener-Policy (COOP) and Cross-Origin-Embedder-Policy (COEP)?

May 20, 2026

Cross-Origin-Opener-Policy (COOP) and Cross-Origin-Embedder-Policy (COEP) are two HTTP response headers introduced by Chromium in 2020 and now supported in all major browsers (Chrome 83+, Firefox 79+, Safari 15.2+). COOP controls whether a page shares its browsing context group with windows it opens or that opened it; COEP controls whether a page may load cross-origin subresources. Setting COOP: same-origin together with COEP: require-corp or credentialless puts the page into cross-origin isolated mode, which is required to use SharedArrayBuffer, performance.measureUserAgentSpecificMemory() and high-resolution performance.now() timers. They are part of the post-Spectre browser hardening alongside Cross-Origin-Resource-Policy (CORP).

Why were COOP and COEP introduced?

In January 2018 the Spectre and Meltdown CPU side-channel vulnerabilities (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) showed that malicious JavaScript can read memory from other origins inside the same renderer process. Browsers reacted by disabling SharedArrayBuffer and reducing the precision of performance.now() from microseconds to 100 µs. COOP and COEP let a site explicitly opt into a process-isolated, cross-origin-clean context so the browser can re-enable those high-precision features safely.

What does Cross-Origin-Opener-Policy (COOP) do?

COOP decides whether a top-level document shares a browsing context group (and therefore a JavaScript execution context) with windows opened via window.open() or with the opener. Three values exist:

  • unsafe-none — default. Allows window.opener access across origins.
  • same-origin-allow-popups — popups you open keep their reference, but cross-origin documents that try to access you are isolated.
  • same-origin — full isolation. Cross-origin windows cannot reference each other; required for cross-origin isolation.

Example header:

Cross-Origin-Opener-Policy: same-origin

What does Cross-Origin-Embedder-Policy (COEP) do?

COEP decides whether a document may load cross-origin subresources (images, scripts, fonts, iframes). Values:

  • unsafe-none — default. Any cross-origin resource is loaded.
  • require-corp — every cross-origin subresource must opt in by sending Cross-Origin-Resource-Policy: cross-origin or a valid CORS response.
  • credentialless — added in Chrome 96 (October 2021). Cross-origin requests are sent without cookies/credentials; the resource does not need to opt in.
Cross-Origin-Embedder-Policy: require-corp

What is cross-origin isolation?

A document is cross-origin isolated when COOP: same-origin and either COEP: require-corp or COEP: credentialless are set. You can verify it in DevTools or with JavaScript:

if ( self.crossOriginIsolated ) {
  // SharedArrayBuffer, high-res timers, measureUserAgentSpecificMemory() are available
}

Without isolation, modern browsers block new SharedArrayBuffer() and round performance.now() to 100 µs.

When do I need COOP and COEP on a WordPress site?

  • You don't need them for a standard content site, blog or WooCommerce shop. Enabling them can break embeds (YouTube, Google Maps, Stripe Checkout, Facebook).
  • You do need them if you ship WebAssembly with multi-threading (Photopea, Figma, FFmpeg.wasm), in-browser video processing, Emscripten-compiled games, or precise performance measurement.
  • You might want COOP only (same-origin-allow-popups) on login pages and dashboards to mitigate tab-napping and cross-window scripting — without breaking any embeds.

How do I set COOP and COEP in WordPress?

Apache (.htaccess):

<IfModule mod_headers.c>
  Header set Cross-Origin-Opener-Policy "same-origin"
  Header set Cross-Origin-Embedder-Policy "require-corp"
  Header set Cross-Origin-Resource-Policy "same-site"
</IfModule>

Nginx:

add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Embedder-Policy "require-corp" always;
add_header Cross-Origin-Resource-Policy "same-site" always;

Or via a plugin like "HTTP Headers".

What breaks when I enable COEP: require-corp?

Any cross-origin resource without a matching CORP header or CORS response is blocked. Common breakages:

  • YouTube and Vimeo iframes (unless served via credentialless mode).
  • Google Fonts if hot-linked from fonts.gstatic.com without CORS.
  • External avatars like Gravatar, Facebook profile pictures.
  • Third-party analytics pixels, Stripe.js, hCaptcha widgets.

Use the browser DevTools » Network » column "Blocked" to find offenders. Switch to COEP: credentialless to relax the requirement at the cost of stripped cookies on those requests.

How do I test if my site is cross-origin isolated?

  1. Open the site in Chrome.
  2. DevTools (F12) » Application » Frames » top » check "Cross-Origin Isolated: Yes".
  3. Or run self.crossOriginIsolated in the Console — it must return true.
  4. Use the "Coop-Coep-Crossorigin" report endpoint to monitor violations in production.

What InspectWP checks

InspectWP analyses every HTTP response header on the crawled page and reports the presence and value of Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy and Cross-Origin-Resource-Policy in the Security section. Missing headers are flagged as a warning rather than danger, since most content sites do not need full cross-origin isolation.

Previous article

What are Application Passwords in WordPress?

Next article

What is a Honeypot? Spam Protection Without CAPTCHA

Related Articles

What Is HTTP/2 and HTTP/3? A Practical Guide for WordPress Sites

What are WordPress custom post types?

What is a WordPress block theme (Full Site Editing)?

View all articles

Check your WordPress site now

InspectWP analyzes your WordPress site for security issues, SEO problems, GDPR compliance, and performance — for free.

Analyze your site free