COOP, CORP & COEP

WARNING: These isolation headers can block popups, embedded content, and cross-origin resources when the selected values are too strict for the site’s dependencies. Tune them carefully if the site relies on third-party assets or browser interactions across origins.

Description of the control

Use this grouped control to configure the cross-origin isolation headers Cross-Origin-Opener-Policy (COOP), Cross-Origin-Resource-Policy (CORP), and Cross-Origin-Embedder-Policy (COEP). These headers work together to isolate the browser context more aggressively when the site can support stricter behavior.

Procedure

1. Open Posture Management.
2. Select Transport & Browser Security.
3. In the COOP, CORP & COEP card, select Show isolation headers.
4. For Cross-Origin-Opener-Policy (COOP), enable Send COOP header and choose the required value, such as unsafe-none, same-origin-allow-popups, or same-origin.
5. For Cross-Origin-Resource-Policy (CORP), enable Send CORP header and choose the required value, such as cross-origin, same-site, or same-origin.
6. For Cross-Origin-Embedder-Policy (COEP), enable Send COEP header and choose the required value, such as unsafe-none, credentialless, or require-corp.
7. Review the help text for each header before finalizing the combination.
8. Select Save Transport & Browser Settings.

Validation

After saving, test site features that use popups, embeds, media, scripts, or other cross-origin resources. Confirm the selected headers are present in responses and verify that expected browser functionality still works with the chosen isolation values.