You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: content/docs/defenses/opt-in/coop.md
+10-6
Original file line number
Diff line number
Diff line change
@@ -8,22 +8,26 @@ category = [
8
8
menu = "main"
9
9
+++
10
10
11
-
Getting access to a website's `window` object is a common prerequisite for different XS-Leak techniques. [Framing Protections]({{< ref "xfo.md" >}}) can ensure that an attacker cannot use iframes to access the `window` object, but this does not stop an attacker from accessing it from an opened window through `window.open(url)` or `window.opener` references.
11
+
Getting access to a website's `window` object is a common prerequisite for different XS-Leak techniques. [Framing Protections]({{< ref "xfo.md" >}}) can ensure that an attacker cannot use iframes to access the `window` object, but this does not stop an attacker from accessing the `window` object from an opened window through `window.open(url)` or `window.opener` references.
12
12
13
13
Exploiting XS-Leaks with `window.open` is generally seen as the least appealing option for an attacker because the user can see it happen in the open browser window. However, it's usually the right technique when:
14
14
15
-
- A page sets [Framing Protections]({{< ref "xfo.md" >}})
16
-
- A page sets [Same-Site Cookies with `Lax` Mode]({{< ref "same-site-cookies.md" >}}) (in contrast to the `Strict` mode, navigating a top-level window is allowed by the `Lax` mode)
15
+
- A page sets [Framing Protections]({{< ref "xfo.md" >}}).
16
+
- A page sets [Same-Site Cookies with `Lax` Mode]({{< ref "same-site-cookies.md" >}}) (in contrast to the `Strict` mode, navigating a top-level window is allowed by the `Lax` mode).
17
17
18
18
To prevent other websites from gaining arbitrary window references to a page, applications can deploy Cross-Origin-Opener-Policy (COOP) [^1][^2].
19
19
20
-
There are three possible values for the COOP header. `unsafe-none` is the default value and is how websites behave if no value is set. `same-origin` is the strictest. If you set `same-origin`, then cross-origin websites cannot get access to your `window` object through opening new windows. If your application relies on using `window.open` to open another website and communicate with it, this will be blocked by `same-origin`. Instead, you can set `same-origin-allow-popups` which will allow your website to use `window.open` but does not allow other websites to use `window.open` against your application.
20
+
There are three possible values for the COOP header:
21
21
22
-
If possible, it is recommended to set `same-origin`. If you set `same-origin-allow-popups` be sure to review what websites you open with `window.open` and ensure that they are trusted.
22
+
*`unsafe-none` – This is the default value and is how websites behave if no value is set.
23
+
*`same-origin` – This is the strictest value. If you set `same-origin`, then cross-origin websites cannot get access to your `window` object through opening new windows. If your application relies on using `window.open` to open another website and communicate with it, this will be blocked by `same-origin`. If this is an issue, set `same-origin-allow-popups` instead.
24
+
*`same-origin-allow-popups` – This value allows your website to use `window.open`, but does not allow other websites to use `window.open` against your application.
25
+
26
+
If possible, it is recommended to set `same-origin`. If you set `same-origin-allow-popups`, be sure to review what websites you open with `window.open` and ensure that they are trusted.
23
27
24
28
## Considerations
25
29
26
-
Since COOP is an opt-in mechanism and a very recent one, it can easily be overlooked by developers and security engineers. Nonetheless, it’s important to highlight the importance of this defense mechanism as it is the only way to prevent attackers from exploiting XS-Leaks which makes use of window references returned by APIs like `window.open` (unless Same-Site Cookies in the Strict Mode can be widely deployed).
30
+
Since COOP is an opt-in mechanism and a very recent one, it can easily be overlooked by developers and security engineers. Nonetheless, it’s important to highlight the importance of this defense mechanism as it is the only way to prevent attackers from exploiting XS-Leaks which make use of window references returned by APIs like `window.open` (unless SameSite Cookies in the `Strict` mode can be widely deployed).
0 commit comments