security
How to fix: Cross-Origin policies (COOP / COEP / CORP)
OWASP A05
Why this matters
The cross-origin isolation trio — Cross-Origin-Resource-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Embedder-Policy — together protect against Spectre-class CPU side-channel attacks by isolating the browsing context from cross-origin resources. Required for SharedArrayBuffer and high-precision timers; recommended baseline for all sensitive apps.
Background
The Cross-Origin Isolation trio (CORP, COOP, COEP) defends against Spectre-class CPU side-channel attacks by isolating the page's browsing context. CORP prevents OTHER origins from embedding your resources; COOP isolates window groups; COEP requires every subresource to opt-in.
References
MDN · Cross-Origin-Resource-Policy · Cross-Origin-Opener-Policy · Cross-Origin-Embedder-Policy
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Cross-Origin-Opener-Policy "same-origin" always; add_header Cross-Origin-Embedder-Policy "require-corp" always;
apache
Header always set Cross-Origin-Resource-Policy "same-origin" Header always set Cross-Origin-Opener-Policy "same-origin" Header always set Cross-Origin-Embedder-Policy "require-corp"
cloudflare
Transform Rules → Modify Response Header → set all three.
wordpress
WP Headers Security Advanced plugin OR add via functions.php: add_action('send_headers', fn() => { header('Cross-Origin-Resource-Policy: same-origin'); ... });
flask
@app.after_request: resp.headers.setdefault('Cross-Origin-Resource-Policy', 'same-origin')
express
app.use(helmet.crossOriginResourcePolicy()) + crossOriginOpenerPolicy + crossOriginEmbedderPolicy
rails
SecureHeaders::Configuration.default { |c| c.cross_origin_resource_policy = 'same-origin' }
Verify it's working
curl -sI https://your-site/ | grep -iE 'cross-origin-(resource|opener|embedder)-policy'
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →