Popup loaded with "Cross-Origin-Opener-Policy: same-origin-allow-popups" in it (not its opener)

Question

If a popup/tab is opened from Javascript using window.open where

• The popup/tab is on a different domain from the opener
• The page in the popup/tab has the HTTP header Cross-Origin-Opener-Policy: same-origin-allow-popups set

Then does the opener have access to the popup via the return value of window.open? From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy it says

same-origin-allow-popups

Retains references to newly opened windows or tabs that either don't set COOP or that opt out of isolation by setting a COOP of unsafe-none.

But this seems to describe the behaviour of the site calling window.open with this value of Cross-Origin-Opener-Policy. I'm wondering about how things behave if some (possibly adversarial) site uses window.open to open a site, and that site uses "Cross-Origin-Opener-Policy: same-origin-allow-popups".

Answer 1

The spec at https://html.spec.whatwg.org/dev/browsers.html I think is a touch more explicit on this

"same-origin-allow-popups"

This forces the creation of a new top-level browsing context for the document, unless its predecessor specified the same cross-origin opener policy and they are same origin.

So I suspect that the any adversarial site loading the site in a popup won't have access. By my understanding of a different "top-level browsing context" this means a different process, so the separation should be strong.