You should add `Cross-Origin-Opener-Policy: same-origin` and `Cross-Origin-Embedder-Policy: require-corp` to securityheaders.com. Default for both is unsafe-none.
developer.mozilla.org/en-US/docs/Web
developer.mozilla.org/en-US/docs/Web
Decent guide on it at web.dev/coop-coep/.
Conversation
Replying to
It's also something else that could be supporting. These are needed to enforce proper site isolation (isolated process for each site).
It's the main protection available to sites to defend against local timing attacks or a browser renderer compromise.
