Implement Cross-Origin-Opener-Policy Header

[evilaliv3]

I consider that it would be really valualbe if we could implement the HTTP Cross-Origin-Opener-Policy (COOP) header to ensure that the top-level document does not share a browsing context group with cross-origin documents.

The policy to be set in our use case is: Cross-Origin-Opener-Policy: same-origin

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy

This tickets follows a discussion had on w3c/webappsec-referrer-policy#159 and some great advices by @annevk and @hackademix and a successul experimentation within GlobaLeaks: globaleaks/GlobaLeaks#3103

[evilaliv3]

Moving forward this analysis i consider that we should enable as well CORP and COEP with the following exact configuration:

Cross-Origin-Embedder-Policy: "same-origin"
Cross-Origin-Resource-Policy: "same-site"

References:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)

[zenmonkeykstop]

Closed in #6187