From 0cc06ce9e4d851c1fb5db7344458158276debd28 Mon Sep 17 00:00:00 2001 From: Hamish Willee Date: Tue, 11 Mar 2025 16:22:52 +1100 Subject: [PATCH 1/5] Fix up COOP HTTP header errors --- .../http/reference/headers/cross-origin-opener-policy/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md b/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md index 419362595b226ea..8d55520de1a2992 100644 --- a/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md +++ b/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md @@ -115,7 +115,7 @@ The table below shows the result of this rule on whether documents are opened in ### Opening with Window.open() -When opening a document using `Window.open()`, the new document is opened in the same BCG according to the following rules, which are evaluated in order: +When opening a document using `Window.open()`, the new document is opened in a new BCG according to the following rules, which are evaluated in order: 1. True: opened `noopener-allow-popups` 2. False: (`opener same-origin-allow-popups` or `noopener-allow-popups`) and (opened document is `unsafe-none`) From fae8d3700a5574b77e1e2fe95b62fa05177748ac Mon Sep 17 00:00:00 2001 From: Hamish Willee Date: Tue, 11 Mar 2025 17:13:12 +1100 Subject: [PATCH 2/5] Add arrows to make it clear which values are which --- .../cross-origin-opener-policy/index.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md b/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md index 8d55520de1a2992..3bff66822f0d86b 100644 --- a/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md +++ b/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md @@ -106,12 +106,12 @@ The table below shows the result of this rule on whether documents are opened in -| Opener (row) / Opened (col) | `unsafe-none` | `same-origin-allow-popups` | `same-origin` | `noopener-allow-popups` | -| --------------------------- | ------------- | -------------------------- | ------------------- | ----------------------- | -| `unsafe-none` | Same | New | New | New | -| `same-origin-allow-popups` | New | Same if same-origin | New | New | -| `same-origin` | New | New | Same if same-origin | New | -| `noopener-allow-popups` | New | New | New | Same if same-origin | +| Opener (↓) / Opened (→) | `unsafe-none` | `same-origin-allow-popups` | `same-origin` | `noopener-allow-popups` | +| -------------------------- | ------------- | -------------------------- | ------------------- | ----------------------- | +| `unsafe-none` | Same | New | New | New | +| `same-origin-allow-popups` | New | Same if same-origin | New | New | +| `same-origin` | New | New | Same if same-origin | New | +| `noopener-allow-popups` | New | New | New | Same if same-origin | ### Opening with Window.open() @@ -126,12 +126,12 @@ The table below shows the opener behaviour for the different directive values. -| Opener (row) / Opened (col) | `unsafe-none` | `same-origin-allow-popups` | `same-origin` | `noopener-allow-popups` | -| --------------------------- | ------------- | -------------------------- | ------------------- | ----------------------- | -| `unsafe-none` | Same | New | New | New | -| `same-origin-allow-popups` | Same | Same if same-origin | New | New | -| `same-origin` | New | New | Same if same-origin | New | -| `noopener-allow-popups` | Same | New | New | New | +| Opener (↓) / Opened (→) | `unsafe-none` | `same-origin-allow-popups` | `same-origin` | `noopener-allow-popups` | +| -------------------------- | ------------- | -------------------------- | ------------------- | ----------------------- | +| `unsafe-none` | Same | New | New | New | +| `same-origin-allow-popups` | Same | Same if same-origin | New | New | +| `same-origin` | New | New | Same if same-origin | New | +| `noopener-allow-popups` | Same | New | New | New | ## Examples From 2dff0bb284df2450d1d518b37587a7bdde9e2e8f Mon Sep 17 00:00:00 2001 From: Hamish Willee Date: Fri, 14 Mar 2025 11:32:25 +1100 Subject: [PATCH 3/5] BCD -> BCG --- .../http/reference/headers/cross-origin-opener-policy/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md b/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md index 3bff66822f0d86b..5be344b6b70a2bc 100644 --- a/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md +++ b/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md @@ -88,7 +88,7 @@ Cross-Origin-Opener-Policy: noopener-allow-popups Generally you should set your policies such that only same-origin and trusted cross-origin resources that need to be able to script each other should be allowed to be opened in the same browser context group. Other resources should be cross-origin isolated in their own group. -The following sections show whether documents will be opened in the same BCG or a new BCD following a navigation or opening a window programmatically. +The following sections show whether documents will be opened in the same BCG or a new BCG following a navigation or opening a window programmatically. > [!NOTE] > The specification uses the term "popup" to refer to any document opened using {{domxref("Window.open()")}}, whether it is a popup, tab, window, or other context. From 1d9d113ac44d85796c5e5b5a77ea1d8b75230c87 Mon Sep 17 00:00:00 2001 From: Hamish Willee Date: Fri, 14 Mar 2025 11:41:48 +1100 Subject: [PATCH 4/5] Simplify the matching policy case --- .../reference/headers/cross-origin-opener-policy/index.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md b/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md index 5be344b6b70a2bc..4b079c404fd0dc8 100644 --- a/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md +++ b/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md @@ -97,12 +97,9 @@ The following sections show whether documents will be opened in the same BCG or When navigating between documents, the new document is opened in the same BCG if the two documents have "matching coop policies", and otherwise into a new BCG. -The policies match if: +The policies match if either both documents have the policy `unsafe-none`, or if the policies are the same and the documents are same-origin. -- both documents are `unsafe-none`, or -- neither document is `unsafe-none`, their policy values are the same, and they are same-origin. - -The table below shows the result of this rule on whether documents are opened in the same or a new BCG for the different directive values. +The table below shows how this rule affects whether documents are opened in the same or a new BCG for the different directive values. From 8407639d5c987c09c76b641da096d1dd2612b3d4 Mon Sep 17 00:00:00 2001 From: Hamish Willee Date: Fri, 14 Mar 2025 11:52:06 +1100 Subject: [PATCH 5/5] window.open() fixes as per wbamberg --- .../headers/cross-origin-opener-policy/index.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md b/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md index 4b079c404fd0dc8..86c1fa93ace3898 100644 --- a/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md +++ b/files/en-us/web/http/reference/headers/cross-origin-opener-policy/index.md @@ -114,12 +114,12 @@ The table below shows how this rule affects whether documents are opened in the When opening a document using `Window.open()`, the new document is opened in a new BCG according to the following rules, which are evaluated in order: -1. True: opened `noopener-allow-popups` -2. False: (`opener same-origin-allow-popups` or `noopener-allow-popups`) and (opened document is `unsafe-none`) -3. False: Matching COOP policies (as outlined above for navigations) -4. True: Otherwise! +1. If the new document has COOP set to `noopener-allow-popups` => open the new document in a new BCG +2. If the new document has COOP set to `unsafe-none` and the opener document has COOP set to either `same-origin-allow-popups` or `noopener-allow-popups` => open the new document in the same BCG +3. If the new document and the opening document have [matching COOP policies](#navigations) => open the new document in the same BCG +4. Otherwise, open the new document in a new BCG -The table below shows the opener behaviour for the different directive values. +The table below shows how these rules affect whether documents are opened in the same or a new BCG for the different directive values.