Set correct header

app/config/application.rb

@@ -14,6 +14,7 @@
 require "action_cable/engine"
 # require "rails/test_unit/railtie"
 require_relative "../lib/site_config.rb"
+require_relative "../lib/middleware/add_cross_origin_opener_policy"
 
 # Require the gems listed in Gemfile, including any gems
 # you've limited to :test, :development, or :production.
@@ -41,5 +42,6 @@ class Application < Rails::Application
     config.autoload_paths += %W[#{config.root}/app/helpers]
     config.autoload_paths += %W[#{config.root}/app/controllers/concerns]
     config.sites = SiteConfig.new(Rails.root.join("config", "site-config.yml"))
+    config.middleware.insert_before 0, Middleware::AddCrossOriginOpenerPolicy
   end
 end

app/lib/middleware/add_cross_origin_opener_policy.rb

@@ -0,0 +1,15 @@
+module Middleware
+  class AddCrossOriginOpenerPolicy
+    COOP_HEADER = "Cross-Origin-Opener-Policy"
+
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      status, headers, response = @app.call(env)
+      headers[COOP_HEADER] = "same-origin" unless headers.key?(COOP_HEADER)
+      [status, headers, response]
+    end
+  end
+end