Loading
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Protect Your Visualforce Pages with Cross-Origin Opener Policy (COOP)

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Protect Your Visualforce Pages with Cross-Origin Opener Policy (COOP)

            Help shield your custom Visualforce pages from external attacks. When you enable Cross-Origin Opener Policy (COOP), each top-level custom Visualforce page opens in a new browsing context group. This process prevents direct access between other browser tabs and your Visualforce page and the page’s content.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To modify session security settings: Customize Application

            COOP helps to shield your Visualforce pages from cross-site scripting (XSS), a type of security vulnerability. With XSS, an attacker includes malicious code in a client-side script in a legitimate web page or web application. When a user visits the page or application, the web page or application delivers the malicious script to the user’s browser.

            With COOP, each top-level custom Visualforce page opens in a new browsing context group. Browser content that your Visualforce page opens within an iframe can access the parent page. However, processes that attempt to open your page in a new tab or pop-up window can’t access the page for potential cross-origin attacks.

            Note
            Note To preserve your users’ access to required content, we recommend that you review the expected behavior and test COOP in a sandbox before you enable this feature in production.

            Browser access checks use the headers for both your Visualforce page and the external sites that you access from your page. The combination of Cross-Origin Opener Policy (COOP) and Cross-Origin Embedder Policy (COEP) headers determines whether the Visualforce page and external sites can interact. To learn more about COOP and COEP, we recommend these topics on MDN Web Docs: Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy.

            1. From Setup, in the Quick Find box, enter Session Settings, and then click Session Settings.
            2. In the Visualforce Cross-Origin Security Headers section, select Cross-Origin Opener Policy (COOP).
            3. Save your changes.

            See Also

             
            Loading
            Salesforce Help | Article