diff --git a/src/base/http/types.h b/src/base/http/types.h
index fca20dc6c..2bf435009 100644
--- a/src/base/http/types.h
+++ b/src/base/http/types.h
@@ -47,6 +47,7 @@ namespace Http
     inline const QString HEADER_CONTENT_LENGTH = u"content-length"_qs;
     inline const QString HEADER_CONTENT_SECURITY_POLICY = u"content-security-policy"_qs;
     inline const QString HEADER_CONTENT_TYPE = u"content-type"_qs;
+    inline const QString HEADER_CROSS_ORIGIN_OPENER_POLICY  = u"cross-origin-opener-policy"_qs;
     inline const QString HEADER_DATE = u"date"_qs;
     inline const QString HEADER_HOST = u"host"_qs;
     inline const QString HEADER_ORIGIN = u"origin"_qs;
diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp
index 6fd0e4ce6..2411e9e1b 100644
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@@ -406,7 +406,10 @@ void WebApplication::configure()
     m_prebuiltHeaders.push_back({Http::HEADER_X_CONTENT_TYPE_OPTIONS, u"nosniff"_qs});
 
     if (!m_isAltUIUsed)
+    {
+        m_prebuiltHeaders.push_back({Http::HEADER_CROSS_ORIGIN_OPENER_POLICY, u"same-origin"_qs});
         m_prebuiltHeaders.push_back({Http::HEADER_REFERRER_POLICY, u"same-origin"_qs});
+    }
 
     const bool isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
     if (isClickjackingProtectionEnabled)