content(security): add cross-origin isolation (COOP / COEP / CORP)#32
Merged
Conversation
- open-graph: drop dead MDN "Open Graph protocol" page (Web/OpenGraph now 404s; MDN removed the standalone page). Primary source ogp.me already cited, so coverage is unaffected. - hreflang: Google renamed the docs path segment specialized -> specialty; old URL 404s. - global-privacy-control: GPC spec moved to the W3C org (w3c.github.io/gpc/); old globalprivacycontrol.github.io/gpc-spec/ 404s. Bumped `updated` on each. URLs verified live before committing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The site already ships Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Resource-Policy: same-site in public/_headers, but had no spec page documenting them. Add a security page covering COOP, COEP and CORP, wire relatedSlugs on the three adjacent security pages. Closes the ship-it-before-you-spec-it gap for these headers. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Deploying specification-website with
|
| Latest commit: |
f6faa97
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://a52c626d.specification-website.pages.dev |
| Branch Preview URL: | https://content-cross-origin-isolati.specification-website.pages.dev |
…efit Rewrite the COOP/CORP 'Why it matters' to lead with the concrete harm to real users (tabnabbing, silent cross-site snooping) before the mechanism, define Spectre plainly instead of the jargon 'Spectre-style memory disclosure', and link web.dev's cross-origin isolation explainer. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jdevalk
added a commit
that referenced
this pull request
Jun 11, 2026
PR #32 merged the spec page but omitted two tracked artifacts: the changelog entry and the per-page OG image. Add both, plus the four count-driven OG images the new page bumps (homepage/checklist/spec totals + security category count). Every page now has an OG image. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
Adds a new security spec page: Cross-origin isolation (COOP / COEP / CORP) at
src/content/spec/security/cross-origin-isolation.md, and wiresrelatedSlugson the three adjacent security pages (content-security-policy,frame-ancestors,permissions-policy).Why now
The site already ships
Cross-Origin-Opener-Policy: same-originandCross-Origin-Resource-Policy: same-siteon every response (public/_headers), but no spec page documented them. This closes the "ship it before you spec it" divergence — we recommend a behaviour we already implement, with a worked-example callout pointing at our own_headers.Primary sources
Status:
recommendedNot
required— the platform contract does not break without these headers; most sites function without them. Not merelyoptional— they are baseline hardening against tabnabbing / XS-Leaks (COOP) and Spectre-style cross-origin resource theft (CORP), and we ship two of the three. Full cross-origin isolation viaCOEP: require-corpis described as opt-in/situational within the page, since it can break third-party embeds and is only needed forSharedArrayBuffer-class APIs.Verification
npm run buildpasses; Pagefind indexes 135 pages (was 134)./spec/security/cross-origin-isolation/, serves at.md, and appears in/checklist/and/llms.txt.Draft — not for merge without human review. MCP Worker redeploy is a post-merge human step.
🤖 Generated with Claude Code