Intent to Prototype: COOP same-origin-allow-popups-plus-coep

Skip to first unread message

Camille Lamy

Jun 17, 2021, 7:51:38 AM6/17/21
to blink-dev

Contact emails





To make crossOriginIsolation easier to deploy on sites with OAuth/payment flows relying on popups, we would like Cross-Origin-Opener-Policy: same-origin-allow-popups to also enable crossOriginIsolation when served with an appropriate Cross-Origin-Embedder-Policy header. This would introduce a new COOP mode, with a few restrictions compared to regular COOP same-origin-allow-popups. However, this mode would be crossOriginIsolated, while still having access to any popup it opens through

Blink component



Sites that wish to continue using SharedArrayBuffer must opt-into cross-origin isolation. Among other things, cross-origin isolation will prevent cross-origin popups from having access to their opener. This behavior ships today in Firefox, and Chrome aims to ship it as well in Chrome 92. As part of crossOriginIsolation, websites must send a Cross-Origin-Opener-Policy: same-origin header. COOP same-origin prevents pages with different top-level origins from being able to communicate with each other. This breaks many OAuth or payment flows that rely on opening a cross-origin popup that will communicate back with the page through window.postMessage for example. APIs like WebID or WebPayments will eventually solve the issue by providing developers with a way to build robust OAuth or payment flows without pop-ups through browser mediation. However, these APIs are not there yet, and will require significant changes from OAuth/Payment flow providers and users. we would like to find a solution that helps websites deploy COOP without having to implement a lot of changes to their websites.

Initial public proposal

TAG review


TAG review status



Interoperability and Compatibility


Gecko: No signal

WebKit: No signal

Web developers: No signals

Is this feature fully tested by web-platform-tests?


Flag name


Tracking bug

Link to entry on the Chrome Platform Status

This intent message was generated by Chrome Platform Status.

Yang Guo

Jun 23, 2021, 11:49:10 AM6/23/21
to blink-dev, Camille Lamy
Is there any consideration wrt tooling/debugging? E.g. should we surface an issue in DevTools if a popup has been blocked from accessing its opener?
Reply all
Reply to author
0 new messages