Summary
The Cross-Origin-Opener-Policy response header allows a site to decide whether or not other included documents share the same browsing context. Sharing the same browsing context as untrusted documents may result in data leakage.
Solution
Ensure that the application/web server correctly sets the Cross-Origin-Opener-Policy header and that it sets the Cross-Origin-Opener-Policy header to ‘same-origin’ for documents. ‘same-origin-allow-popups’ is a less secure option that should be avoided. If at all feasible, use a standards-compliant and contemporary web browser that supports the Cross-Origin-Opener-Policy header (https://caniuse.com/mdn-http headers cross-origin-opener-policy).