Fix up COOP HTTP header errors

[hamishwillee]

There is a typo in the description for the HTTP COOP header, for the case of opening a page in a popup (using window.open() that makes the table wrong.

The steps come from https://html.spec.whatwg.org/multipage/browsers.html#check-browsing-context-group-switch-coop-value-popup. This directly matches the spec (I suspect I tried to invert the logic originally, hence the mismatch).

[github-actions]

Preview URLs

• /en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy

Flaws (6)

URL: /en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
Title: Cross-Origin-Opener-Policy
Flaw count: 6

• broken_links:
  • /en-US/docs/Glossary/response_header is ill cased
• macros:
  • Macro produces link /en-US/docs/Glossary/response_header which is a redirect
  • Macro produces link /en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy which is a redirect
  • Macro produces link /en-US/docs/Web/HTTP/Headers/Permissions-Policy/cross-origin-isolated which is a redirect
  • Macro produces link /en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy which is a redirect
• unknown:
  • No generic content config found

(comment last updated: 2025-03-13 13:12:08)

[bsmth]

The spec links in the comments were very useful to cross-check, and looks good, so a +1 from me - thanks 👍🏻

[wbamberg]

I think this is definitely better. I don't have time to try a full review of this page, but of course happy to merge this as an incremental improvement. But a couple of other things you might consider now:

Line 91: BCD->BCG

Line 103: you could simplify this:

• neither document is unsafe-none, their policy values are the same, and they are same-origin.

...by removing the first clause: if the policies have to be the same, and we already know they are not both unsafe-none, then it's determined that neither can be unsafe-none. In fact at that point it might be better not to have a separate referenced "matching policies" definition, because you can express it quite concisely as: "either both polices are unsafe-none, or the policies are the same and the documents are same-origin".

In general it's worth being really precise about language, because this is complex. For example, you have:

True: opened noopener-allow-popups

What does "opened" mean here? I think it is "The opened document has a policy of noopener-allow-popups" but it doesn't say exactly that. In the state of uncertainty I'm already in when trying to understand this, I don't want any additional uncertainty.

I think the way the table expresses the choice (New/Same) is better than the way the text does (true/false), because with the text there's another logical link (what is true?) and of course that got flipped in the original here. So I would consider rewriting the algorithm text like:

When opening a document using Window.open(), the new document is opened in a new BCG according to the following rules, which are evaluated in order:

• If the new document has COOP set to noopener-allow-popups => open the new document in a new BCG
• If the new document has COOP set to unsafe-none and the opener document has COOP set to either same-origin-allow-popups or noopener-allow-popups => open the new document in the same BCG
• If the new document and the opening document have [matching COOP policies](make this a link) => open the new document in the same BCG
• Otherwise, open the new document in a new BCG

Getting into more extensive territory:

• It would be helpful to have more, and simpler, examples showing the key use cases here.

• The example at https://pr38568.review.mdn.allizom.net/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy#severing_the_opener_relationship, especially the list at the end, makes me want to run away.

[github-actions]

This pull request has merge conflicts that must be resolved before it can be merged.

[github-actions]

Preview URLs

• /en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy

Flaws (6)

URL: /en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
Title: Cross-Origin-Opener-Policy
Flaw count: 6

• broken_links:
  • /en-US/docs/Glossary/response_header is ill cased
• macros:
  • Macro produces link /en-US/docs/Glossary/response_header which is a redirect
  • Macro produces link /en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy which is a redirect
  • Macro produces link /en-US/docs/Web/HTTP/Headers/Permissions-Policy/cross-origin-isolated which is a redirect
  • Macro produces link /en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy which is a redirect
• unknown:
  • No generic content config found

[hamishwillee]

Thanks for the reviews.

@wbamberg I have integrated your "easy feedback" pretty much verbatim - much better. What was there before is what you get when you spend way too long looking at something and end up deciding that matching the spec is the safest option.

I am not going near those examples. I still have PTSD from the last time I was involved in this document.