Merge pull request #604 from reown-com/devin/1755528358-add-cross-origin-opener-policy-csp

Add Cross-Origin-Opener-Policy header to CSP documentation for AppKit social login security

Author: rohit-710

.cspell.json

@@ -39,7 +39,7 @@
       "nosocial", "bitget", "leather", "binance", "uniswap", "safepal", "bybit", "phantom", "ledger", "timeless-x", "safe", "zerion", "oneinch", "crypto-com", "imtoken", "kraken", "ronin", "robinhood", "exodus", "argent", "tokenpocket", "Contractaddress", 
       "executionreverted", "FATF", "VASP", "LLMSTXT", "Frontmatter", "CASP", "DKMS", "hydradx", "phala", "astar", "mangata", "polkadotjs", "Dogecoin", "Blockbook", "vuejs", "xsmall", "rgba", "mintlify", "filteredwallets",
       "tnum","minmax","toolkits", "autoplay", "Litoshi", "Litoshis", "encryptor's", "Everscale", "Bitcore", "satoshis", "Parachain", "Bitcore", "walletlist", "Userflow", "retryable", "USDS", "Arbitrum", "Wolfswap", "Halborn", "Pentest", "Spearbit", "valtio",
-      "reshare", "microstacks", "Prebuild", "APKT", "offchain", "Bitgpt", "Restaking", "Synthetix", "lamports", "mmkv", "Windscribe", "Dappkit"
+      "reshare", "microstacks", "Prebuild", "APKT", "offchain", "tabnabbing", "Bitgpt", "Restaking", "Synthetix", "lamports", "mmkv", "Windscribe", "Dappkit"
     ]
   }
 

advanced/security/content-security-policy.mdx

@@ -20,6 +20,7 @@ img-src * 'self' data: blob: https://walletconnect.org https://walletconnect.com
 font-src 'self' https://fonts.gstatic.com https://fonts.reown.com;
 connect-src 'self' https://rpc.walletconnect.com https://rpc.walletconnect.org https://relay.walletconnect.com https://relay.walletconnect.org wss://relay.walletconnect.com wss://relay.walletconnect.org https://pulse.walletconnect.com https://pulse.walletconnect.org https://api.web3modal.com https://api.web3modal.org https://keys.walletconnect.com https://keys.walletconnect.org https://notify.walletconnect.com https://notify.walletconnect.org https://echo.walletconnect.com https://echo.walletconnect.org https://push.walletconnect.com https://push.walletconnect.org wss://www.walletlink.org https://cca-lite.coinbase.com;
 frame-src 'self' https://verify.walletconnect.com https://verify.walletconnect.org https://secure.walletconnect.com https://secure.walletconnect.org;
+Cross-Origin-Opener-Policy: same-origin-allow-popups;
 ```
 
 <Note>
@@ -30,6 +31,12 @@ For a full of list of RPC sources used by `wagmi/viem`, please refer to [Viem's
 
 </Note>
 
+<Note>
+
+**Cross-Origin-Opener-Policy for Social Login Security**: The `Cross-Origin-Opener-Policy: same-origin-allow-popups` header is essential when using AppKit's social login features (Google, X, GitHub, Discord, Apple, Facebook, Farcaster). This header helps prevent tabnabbing attacks during OAuth flows by controlling how popup windows can interact with your application. Without this header, malicious sites could potentially hijack the authentication flow and redirect users to phishing pages.
+
+</Note>
+
 ## Testing and Deploying Your CSP
 
 ### Test Your CSP in a Staging Environment