Cross-Origin Security Headers

Control Name

Cross-Origin Security

Recommended Configuration

• Enable Cross-Origin Opener Policy (COOP)
• Enable Cross-Origin Embedder Policy (COEP)

Setup>Session Settings>Enable Cross-Origin Opener Policy (COOP)|Cross-Origin Embedder Policy (COEP).

Control Overview

Enabling Cross-Origin Opener Policy (COOP) and Cross-Origin Embedder Policy (COEP) in Salesforce session settings is a security control that establishes a "cross-origin isolated" environment by isolating the page's browsing context from external windows and requiring all embedded resources to explicitly opt-in via CORS headers. This prevents malicious cross-origin documents from interacting with your Salesforce pages or using side-channel attacks like Spectre to leak sensitive data from the browser's memory.

Security Risk If Not Configured

Not enabling Cross-Origin Opener Policy (COOP) and Cross-Origin Embedder Policy (COEP) exposes the browser session to Spectre-style side-channel attacks, where a malicious site can potentially read sensitive data—such as session tokens or record details—directly from the browser's process memory.

Threat Scenarios

A user visits a malicious website in one browser tab while their Salesforce session is active in another, allowing the attacker to exploit the lack of process-level isolation. Using side-channel techniques like Spectre, the malicious site can then silently read sensitive data—such as session tokens or private record details—directly from the browser’s shared memory.

Estimated CVSS Score Range

Critical (9.0–10.0).

Risk Impact Considerations

Failing to implement these controls creates a significant operational risk, as it leaves the organization vulnerable to data exfiltration via malicious cross-origin windows, while conversely, a sudden enablement without proper testing can break critical third-party integrations, iframes, and OAuth-based authentication flows.

Higher Risk When

The risk of side-channel attacks is significantly worsened by a lack of a robust Content Security Policy (CSP) and missing Cross-Origin Resource Policy (CORP) headers, which together fail to restrict the loading of malicious scripts and unauthorized sub-resources.

Furthermore, the absence of strict CORS configurations and unmonitored "Trusted URLs" allows external domains to easily load your Salesforce pages in their own browsing context, creating a much larger attack surface for data-leaking exploits.

Low or No Risk When

To minimize the risk of cross-origin data leaks when COOP and COEP are not enabled, organizations should implement a Strict Content Security Policy (CSP) to restrict the loading of external scripts and resources to only verified and trusted domains.

Additionally, enforcing short session timeouts, requiring Multi-Factor Authentication (MFA), and using Salesforce Shield Event Monitoring can provide a vital layer of defense-in-depth by reducing the window for side-channel attacks and providing real-time detection of suspicious data access patterns.

Business and Integration Considerations

Evaluate how your organization interacts with external content and third-party windows. These headers are used to achieve a "cross-origin isolated" state, which protects against Spectre-style attacks but can also break existing functionality.

Recommended Remediation

Enable COOP and COEP in Session Settings.

Security Health Review Guidance

Security Health Review inspect the Session Settings configuration verifying COOP and COEP is enabled aligning with industry best practice.