Skip to content

feat(analyzer): add COOP + COEP scoring#498

Draft
caugner wants to merge 3 commits intomainfrom
410-coep-coop-tests
Draft

feat(analyzer): add COOP + COEP scoring#498
caugner wants to merge 3 commits intomainfrom
410-coep-coop-tests

Conversation

@caugner
Copy link
Copy Markdown
Contributor

@caugner caugner commented Apr 10, 2026
edited
Loading

Description

Adds scoring for the Cross-Origin-Opener-Policy (COOP) and Cross-Origin-Embedder-Policy (COEP) headers.

Motivation

Reward sites that set these headers correctly.

Additional details

COOP scoring (cf. this comment):

Test result Description Modifier
coop-not-implemented COOP header not set 0
coop-implemented-with-same-origin COOP header set to same-origin, enforcing site isolation from the opener 10
coop-implemented-with-same-origin-allow-popups COOP header set to same-origin-allow-popups, enforcing site isolation from the opener but allows trusted resources such as for OAuth or payments 10
coop-implemented-with-noopener-allow-popups COOP header set to noopener-allow-popups, enforcing site isolation from the opener even if they are same origin 10
coop-implemented-with-unsafe-none COOP header set to unsafe-none, the document permits sharing its browsing context group with any other document, and may therefore be unsafe 0

COEP scoring (cf. this comment):

Test result Description Modifier
coep-not-implemented COEP header not set 0
coep-implemented-with-require-corp COEP header set to require-corp, restricting loading cross origin resources 10
coep-implemented-with-credentialless COEP header set to credentialless, allowing loading cross origin resources but without sending credentials in the requests 10
coep-implemented-with-unsafe-none COEP header set to unsafe-none, allowing loading cross origin resources, which is the default value 0

In addition to these:

Test result Description Modifier
coop-header-invalid COOP header cannot be recognized -5
coep-header-invalid COEP header cannot be recognized -5

Related issues and pull requests

Fixes #410.

caugner added 3 commits April 11, 2026 01:01
@caugner
feat(coop): add Cross-Origin-Opener-Policy test
45842ed 
Adds scoring for the Cross-Origin-Opener-Policy (COOP) header:
- same-origin, same-origin-allow-popups, noopener-allow-popups: +10
- unsafe-none, not implemented: 0
- invalid header: -5
@caugner
feat(coep): add Cross-Origin-Embedder-Policy test
f643070 
Adds scoring for the Cross-Origin-Embedder-Policy (COEP) header:
- require-corp, credentialless: +10
- unsafe-none, not implemented: 0
- invalid header: -5
@caugner
chore: bump ALGORITHM_VERSION to 6
bb71593 
Reflects the addition of COOP and COEP tests.
@caugner caugner force-pushed the 410-coep-coop-tests branch from c237c79 to bb71593 Compare April 10, 2026 23:01
@caugner caugner changed the title feat(analyzer): add tests for COOP + COEP feat(analyzer): add COOP + COEP scoring Apr 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy

2 participants

@caugner @mdn-bot