⚠️ No isolation headers — cross-origin content and openers are unrestricted
← All demos · COEP & COOP

COEP & COOP

Cross-Origin Embedder Policy and Cross-Origin Opener Policy isolate your page from untrusted cross-origin content, protecting against Spectre-style side-channel attacks.

🔴 Unprotected ⚪ Protected
Scenario 1: Cross-Origin Embedder Policy (COEP)

Embedding cross-origin content

Attempting to embed an image without a Cross-Origin-Resource-Policy header

⚠️ No COEP. Cross-origin resources load freely, regardless of whether they opt in to being embedded. This enables Spectre-style attacks that can read cross-origin memory.
Cross-origin image (no CORP header)
cross-origin test image
Loading…
What COEP does

COEP requires every cross-origin resource on your page to explicitly opt in via a Cross-Origin-Resource-Policy: cross-origin header. Resources that don't opt in are blocked entirely. This closes the door on Spectre-style attacks that exploit shared memory between origins.

Scenario 2: Cross-Origin Opener Policy (COOP)

Cross-origin window access

Can a page that opens this site read back its window reference?

⚠️ No COOP. A page that opens this site via window.open() retains a reference to this window and can interact with it — including reading properties and navigating it.
Check this page's opener relationship
Open a cross-origin page that tries to read back this window
What COOP does

Without COOP, a malicious page that tricks a user into clicking a link (or opens this page programmatically) retains a JS reference to this window via window.opener. It can navigate this page, time operations using performance APIs, or exploit Spectre to read memory. COOP forces a new browsing context, severing that link.