Cross-Origin-Opener-Policy header value of 'same-origin' on parent prevents postMessage to cross origin popup window

[magaldima]

I've noticed a behavior where when a parent domain has the Cross-Origin-Opener-Policy security header set to same-origin, it prevents a Zoid component from launching as a POPUP. Interestingly, the Zoid component is able to launch fine as an IFRAME even with this security header. When I change the COOP header to same-origin-allow-popups, the Zoid POPUP works.

I believe this has to do with the following:

For iframes: COOP set on the main page does not directly isolate the iframe content. The COOP policy only applies to the document itself, meaning that embedded iframes do not inherit the COOP policy from their parent. Each iframe can set its own COOP header, which will control how it behaves in terms of cross-origin isolation. If the iframe does not have a COOP header, it won’t be affected by the COOP settings of its parent document.

For popups or new windows: When you open a new window (e.g., with window.open), COOP will be enforced based on the policy set in the originating window. This means if the parent window has a COOP header, the new window must match this COOP policy. When COOP policies between the parent and child are incompatible (e.g., one window has COOP: same-origin and the other does not, or they have conflicting COEP policies), the browser will separate them into different browsing context groups. In this case, window.opener will be nullified for security reasons, and direct postMessage communication via window.opener will no longer be possible.

I was able to re-create this issue locally so I'm fairly confident in the above explanation. Is this just a limitation of cross-origin components on the web or is there anything that the component can do to prevent the issue (other than forcing to launch the component in an IFRAME which is non-ideal in most mobile environments)?

[akil-rails]

Did you find a solution to this ?