ASVS Requirement 3.4.8

• Level: 3
• Chapter: V3 Web Frontend Security
• Section: V3.4 Browser Security Mechanism Headers
• Source: 0x12-V3-Web-Frontend-Security.md

Description

Verify that all HTTP responses that initiate a document rendering (such as responses with Content-Type text/html), include the Cross‑Origin‑Opener‑Policy header field with the same-origin directive or the same-origin-allow-popups directive as required. This prevents attacks that abuse shared access to Window objects, such as tabnabbing and frame counting.