Security
Cross-Origin isolation (COOP / COEP / CORP)
Three response headers that together unlock SharedArrayBuffer and high-resolution timers — and incidentally close a class of cross-origin side-channel leaks.
What it is
Cross-Origin-Opener-Policy isolates your top-level browsing context from cross-origin windows. Cross-Origin-Embedder-Policy requires every subresource to opt in. Cross-Origin-Resource-Policy lets a resource declare who may embed it. Set together, the page enters a 'cross-origin isolated' state.
Why it matters
Required if you use SharedArrayBuffer, performance.measureUserAgentSpecificMemory, or any precise timer. Beyond capability unlock, the trio defends against Spectre-class side channels and tab-to-tab attacks.
Who it applies to
Sites using cross-origin isolated APIs, or hardening top-level pages against cross-window attacks.
How WQI scores it
Web Quality Index considers this standard satisfied when the supporting factor passes.
| # | Factor | Status |
|---|---|---|
| 4 | Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-Content-Type-Options) | live |
Related standards
- See also
- Security headers , CSP 3
Standards that share factors with this one
Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.
Other references
- guidance MDN — Cross-Origin-Opener-Policy
- guidance MDN — Cross-Origin-Embedder-Policy
- guidance MDN — Cross-Origin-Resource-Policy