Configuring the Cross-Origin Policies

The different Cross-Origin headers supported by Really Simple SSL are:

  1. CORP: Cross-Origin Resource Policy (same-site | same-origin | cross-origin)
  2. COEP: Cross-Origin Embedder Policy (unsafe-none | require-corp)
  3. COOP: Cross-Origin Opener Policy (unsafe-none| same-origin-aloow-popups | same-origin)

Practical usage in WordPress

A quick decision tree for these headers is as follows:

  • CORP: Your site is used as a resource on other websites =>
    • yes, third party websites=> CORP set to cross-origin.
    • yes, but only your own subdomains=> CORP set to same-site
    • no=>CORP set to same-origin

In all cases=> Disable the CORP header if you need to support opening PDF’s by older chrome browsers

  • COOP: Your site uses popups which require data transfer across the windows
    • yes, and these popups are used on, or from your own (sub)domain => same-site.
    • yes, but with 3rd party domain popups => same-origin-allow-popups
    • no => same-site
  •  COEP: Your site uses 3rd party resources that you do not manage
    • yes,  => unsafe-none
      no => require-corp

Detailed explanation

Cross-Origin Resource Policy (CORP)

The CORP header can be used to instruct the browser to block requests to your site from third party sites

  • Possible values: same-site | same-origin | cross-origin *
  • The recommended value is: same-origin.
  • When this header is not set, modern browsers behave as though this header is set to ‘cross-origin’
  • If your site is used by other sources from the same primary domain but on different subdomains or ports, the header should be set to ‘same-site’.
  • If your site is used as resource for other websites, the header should be set to ‘cross-origin’.

* Please note that a bug in Chrome browsers that have not been updated after 2020 can cause issues with PDF files not fully rendering. If your site hosts PDFs and you want to support older chrome based browsers, set the policy to disabled.

Cross-Origin-Embedder-Policy (COEP)

The Cross-Origin-Embedder-Policy security header can prevent your site from loading any resources that don’t have the CORP  header or have been explicitly allowed through use of the CORS protocol. As there aren’t many third-party resources with the CORP header or proper CORS settings yet, setting this header to ‘require-corp’ should only be done when you need certain features like SharedArrayBuffer objects or with unthrottled timers and have setup CORP or CORS correctly on the source you are sharing resources with.

  • Possible values: unsafe-none | require-corp
  • The recommended value is: unsafe-none
  • When this header is not set, modern browsers behave as though this header is set to ‘unsafe-none’
  • If your site does not use any third party resources you can set this header to ‘require-corp’

Cross-Origin-Opener-Policy (COOP)

The Cross-Origin-Opener-Policy response header is used to instruct the client that a top-level document cannot share a browsing context group with cross-origin documents. The Cross-Origin-Opener-Policy (COOP)  header thus allows you to prevent resources from your site from being opened by another source (for example a popup), preventing some cross-origin attacks. Certain features like SharedArrayBuffer objects or with unthrottled timers are only available if your document has a COOP header with the value ‘same-origin’ value set.

  • Possible values: unsafe-none | same-origin-allow-popups | same-origin
  • The recommended value is: same-origin-allow-popups (this allows access for cross-resource popups that do not set a COOP header or set the COOP header to ‘unsafe-none’)
  • Setting this header to ‘same-origin’ might break integrations like 3rd party single sign-on solutions and payment gateways
  • When this header is not set, modern browsers behave as though this header is set to ‘unsafe-none’ which allows access to your site from any source that does not set a COOP header set or set with a value of  ‘unsafe-none’
Lightweight plugin, Heavyweight Security features. Get Pro and leverage your SSL certificate for WordPress security standards.