October 20, 2025
What’s happening
Gmail is enhancing user security by enabling the Cross-Origin Opener Policy (COOP). As a result, developers of websites and browser extensions opening or manipulating the Gmail page may have to update their code to ensure continued functionality when enforcement begins on January 20, 2026. There is no action needed from Workspace admins or end users.
COOP background
Cross-Site Search (XS-Search) is a type of Cross-Site Leaks (XS-Leaks) attack that targets query-based search systems, like Gmail. Attackers exploit this vulnerability by gaining control of a Gmail window, either by opening a new popup or accessing an existing one via its window handle. Once they have this access, they can gather information via a side channel to determine if specific search results exist by repeatedly loading different search terms, thereby leaking sensitive user data.
COOP is a web security feature designed to isolate the web applications from untrusted origins. This measure will prevent attackers from accessing Gmail's window handle, thereby protecting users from various Cross-Site Search (XS-Search) attacks that rely on window handles for collecting side-channel information, such as frame counting. This also significantly hinders attacks like cache probing, which rely on timing and other observations for resources that Gmail loads for search results. While these attacks don't directly collect side-channel information through the window handles themselves, COOP prevents repeated searches and thereby increases difficulty and reduces effectiveness, making them far less of a threat.
Who’s impacted
Websites or browser extensions that open Gmail in a pop-up window and interact with that window by accessing its properties (closed, location, length, focus) or invoking its functions (close, postMessage). Also, browser extensions that are injected into Gmail page and access the opener handle which is a reference to the window that opened the current Gmail page.
Additional details
To enforce COOP, the Cross-Origin-Opener-Policy header will be present in the response:
Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gmail-web-coop-coep"
Report-To:{"group":"gmail-web-coop-coep","endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gmail-web"}]}
Getting started
- Developers:
- For websites and browser extensions opening Gmail, refactor the offending code to avoid accessing the window properties or functions through the window handle and instead, utilize alternative APIs to achieve the desired functionality (e.g., chrome.tabs, Messaging).
- For browser extensions injected into the Gmail page, instead of trying to communicate with or access the opener, the browser extension should be updated so it doesn't need to interact with it at all and the extension's logic should be revised to work independently. If that is not possible, browser extensions can use existing APIs (e.g., chrome.tabs) to implement their logic.
- Admins: There is no admin control for this feature.
- End users: There is no end user setting for this feature.
Rollout pace
- Enforcement will begin on January 20, 2026. Rollout will be extended (potentially longer than 15 days for feature visibility).
