Reputation: 387
What is the difference between using Cross-Origin-Opener-Policy and rel="noopener noreferrer"?
The Cross-Origin-Opener-Policy header seems to be quite similar to what the rel="noopener noreferrer" attribute does when opening document in a new tab (target="_blank").
When should I use which one? It seems the COOP header is applicable when I link between origins while the rel="noopener noreferrer" attribute (on anchor tags) seems to work on the same origin as well.
The COOP header also doesn't work over HTTP.
Should I use both? They seem to be quite complimentary.
I am a bit confused here.
Upvotes: 5
Views: 1391
Answers (1)
Reputation: 13892
As much as I understand:
COOP will allow you to block access to your window object if someone opens your window from their window, while noreferrer / noopener is for when you don't want the windows that you open as child, to have access to your window object.
- COOP blocks window access when you window is opened as child
- noreferrer / noopener blocks window access when your window is the parent
Upvotes: 1
Related Questions
- Why people use `rel="noopener noreferrer"` instead of just `rel="noreferrer"`
- Alternative to window.open that doesn't involve CORS
- Why is a `Cross-Origin-Opener-Policy: unsafe-none` header unsafe?
- difference between Cross-Origin-Embedder-Policy-Report-Only and Cross-Origin-Embedder-Policy
- Use window.open but block use of window.opener
- window.opener is NULL with right click on link
- Using rel="noopener" in window.open()
- window.opener return Cross Origin error in Chrome
- Using window.opener causes CORS error
- Cross Origin - window popup (window.opener is null)