Restrictive Cross-Origin-Opener-Policy for OAuth Authorization Page

[christiandeange]

Describe the bug

The https://bsky.social/oauth/authorize page loads in with a response header

cross-origin-opener-policy: same-origin

which prevents the window that opened it from being able to communicate with it in any way. This destroys the window's window.opener and prevents the window that opened it from being able to detect if the popup was closed prematurely, among other things.

To Reproduce

Steps to reproduce the behavior:

const popup = window.open('https://bsky.social/oauth/authorize', '_blank', 'scrollbars=no,status=no,toolbar=no,menubar=no,width=800,height=600');

Expected behavior

popup.closed immediately reports true, even while the popup window remains opened. popup.opener is also set to null when it should ideally reference the window that opened it.

This could be fixed by simply omitting the Cross-Origin-Opener-Policy header.

Details

• Operating system: macOS Sonoma Version 14.5 (23F79)
• Chrome version: 133.0.6943.55 (Official Build) (arm64)

Additional context

The standard Google OAuth window (https://accounts.google.com/o/oauth2/auth/oauthchooseaccount?...) does not set this same header. Instead it only sets violations to be reported:

cross-origin-opener-policy-report-only: same-origin; report-to="coop_gse_qebhlk"