Cross-Origin-Opener-Policy
Enabled Ensure a top-level document does not share a browsing context group with cross-origin documents.
The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents. COOP will process-isolate your document and potential attackers can't access your global object if they were to open it in a popup, preventing a set of cross-origin attacks dubbed XS-Leaks.
This header should be configured with COEP
Usage
This header is enabled by default but you can change its behavior like following.
export default defineNuxtConfig({
// Global
security: {
headers: {
crossOriginOpenerPolicy: <OPTIONS>,
},
},
// Per route
routeRules: {
'/custom-route': {
security: {
headers: {
crossOriginOpenerPolicy: <OPTIONS>,
},
},
}
}
})
You can also disable this header by crossOriginOpenerPolicy: false
.
Default value
By default, Nuxt Security will set following value for this header.
Cross-Origin-Opener-Policy: same-origin
Available values
The crossOriginOpenerPolicy
header can be configured with following values.
crossOriginOpenerPolicy: 'unsafe-none' | 'same-origin-allow-popups' | 'same-origin' | false
unsafe-none
This is the default value. Allows the document to be added to its opener's browsing context group unless the opener itself has a COOP of same-origin or same-origin-allow-popups.
same-origin-allow-popups
Retains references to newly opened windows or tabs that either don't set COOP or that opt out of isolation by setting a COOP of unsafe-none.
same-origin
Isolates the browsing context exclusively to same-origin documents. Cross-origin documents are not loaded in the same browsing context.