COOPViolationReportBody

COOPViolationReportBody.disposition Read only

A string indicating whether the report is for an enforced or a reporting policy violation.

COOPViolationReportBody.effectivePolicy Read only

A string indicating the effective COOP policy of the document for which the violation report is being sent. This may be an enforced or reporting-only policy, depending on the disposition.

COOPViolationReportBody.previousResponseURL Read only

A string indicating the sanitized URL of the opener of a document. This is reported for an opened document in a report with a body COOPViolationReportBody.type of navigation-to-response.

COOPViolationReportBody.nextResponseURL Read only

A string indicating the sanitized URL of the opened document. This is reported for an opener document in a report with a body COOPViolationReportBody.type of navigation-from-response.

COOPViolationReportBody.referrer Read only

A string representing Xxxxxx

COOPViolationReportBody.type Read only

A string indicating type of violation report: navigation-from-response, navigation-from-response, or access-to-opener.

COOPViolationReportBody.property Read only

A string representing whether XXXX

COOPViolationReportBody.openerURL Read only

A string representing whether XXXX

COOPViolationReportBody.sourceFile Read only

A string indicating the URL of the script that triggered the violation report.

COOPViolationReportBody.lineNumber Read only

A string indicating the line number in the script that triggered the violation report.

COOPViolationReportBody.columnNumber Read only

A string indicating the column number in the script that triggered the violation report.

COOPViolationReportBody.openedWindowURL Read only

A string representing whether XXXX

COOPViolationReportBody.openedWindowInitialURL Read only

A string representing whether XXXX

When navigating to a new document, or using window.open() to open a document, the new document may be opened in the same browsing context group (BCG) as the original document, or in a new BCG. If a document is opened in a new BCG it is cross-origin isolated from the original document, which closes a number of paths for malicious code.

Whether or not a document is opened in a new BCG depends on the cross-origin opener policy of both documents and may also depend on whether the documents are same-origin or cross-origin. Document policies can be set and enforced using the Cross-Origin-Opener-Policy HTTP header, or set and reported-on (but not enforced) using the Cross-Origin-Opener-Policy-Report-Only header.

COOP policy violations may be reported using the Reporting API whenever a policy causes (or would cause) a document to be opened in a new BCG, or if the opened document attempts to access its opener.

A COOP policy violation report is represented by a Report instance that has the type of coop and a body property that is an object of this type. Reports can be returned via the ReportingObserver interface or serialized and sent in a POST to a reporting server endpoint.

To send to a reporting server endpoint the Cross-Origin-Opener-Policy and/or Cross-Origin-Opener-Policy-Report-Only headers used to set the policy must include the report-to parameter with a valid reporting endpoint name. Valid endpoint names are defined using the Reporting-Endpoints header.

The Cross-Origin-Opener-Policy header is used to enforce a COOP policy for a particular document. The policy effectively defines the policy(s) that other documents must have in order to open or navigate to the document in the same BCG, and in order to be opened or navigated from this document and remain in the same BCG.

The Cross-Origin-Opener-Policy-Report-Only can be used to test the effect of enforcing a COOP policy for a particular document. When the document opens or is opened by another document its reporting-only policy is compared to the actual policy of the other document to determine if there would be a violation and send an appropriate report.

A document can set Cross-Origin-Opener-Policy and/or Cross-Origin-Opener-Policy-Report-Only headers. These can have the same or different policies and reporting endpoints.

Different reports are sent depending on whether the reporter is the opener or opened document in a navigation, or if the report is for a COOP access violation. The types of these reports is indicated by the body COOPViolationReportBody.type property (the Report.type is coep for all of these).

navigation-to-response report

This type of report is sent to the COOP reporting endpoint, if specified, of a document that is navigated-to (opened) in a navigation.

For an enforced COOP policy, it indicates that the document was opened in a new BCG. This occurs when the COOP policy of the opened document is incompatible with that of its opener. For navigations this means that the opened document has a different COOP policy from its opener, or the same policy but they are not same-site (unless both documents have a COOP policy of unsafe-none).

For a report-only COOP policy, it indicates the report-only COOP policy is incompatible with the (enforced) policy of its opener. In other words, that the report-only policy set in Cross-Origin-Opener-Policy-Report-Only would result in a violation if it was enforced.

The report has the following properties:

• type: navigation-to-response
• disposition: Whether the report is for an enforced or reporting policy.
• effectivePolicy: The effective policy of the opened document. This may be an enforced or reporting-only policy, depending on the disposition.
• previousResponseURL: The sanitized URL of the previous document (that was navigated from), or null for cross-origin navigations. This is the URL of the opener. It might be the same URL as the referrer or it might be an intermediate redirect URL.
• referrer: The original URL that started the navigation chain that resulted in this report.

navigation-from-response report

This type of report is sent to the COOP reporting endpoint, if specified, of an document that is navigated-from in a navigation.

For an enforced COOP policy, it indicates that the document that was navigated to was opened in a new BCG. This occurs when the COOP policy of the opened document is incompatible with that of its opener. For navigations this means that the opened document has a different COOP policy from its opener, or the same policy but they are not same-site (unless both documents have a COOP policy of unsafe-none).

For a report-only COOP policy, it indicates the report-only COOP policy of the opener is incompatible with the (enforced) policy of the page that is being navigated to. In other words, that the report-only policy set in Cross-Origin-Opener-Policy-Report-Only would result in a violation if it was enforced.

Report of type navigation-from-response have the following propertiesL

• type: navigation-from-response
• disposition: Whether the report is for an enforced or reporting policy.
• effectivePolicy: The policy of the opener document. This may be an enforced or reporting-only policy, depending on the disposition.
• nextResponseURL: The sanitized URL of the opened document (that was navigated to), or null for cross origin navigations.

access-to-opener report

In this example we create a new ReportingObserver to observe COOP reports, then log the first report to the console.

const options = {
  types: ["coop"],
  buffered: true,
};

const observer = new ReportingObserver((reports, observer) => {
  const firstReport = reports[0];
  console.log(firstReport.type); // coop
  console.log(firstReport);
}, options);

The logged report object for a COOP violation from loading an iframe might look like this:

• Reporting-Endpoints
• Reporting API
• The Reporting API