It seems Firefox is not treating the COOP/COEP headers as it should, and it's interpreting `Cross-Origin-Opener-Policy: same-origin` as to only allow the same domain (wapm.io) but not any parent subdomain (registry-cdn.wapm.io), while Chrome supports fully this use case treating both domains as `same-origin`.
In summary, I believe it's a bug in Firefox that I'm not sure how can be bypassed.
EDIT: I got things wrong. The issue is now fixed in Firefox
Reading the spec[1] this behaviour might actually be spec compliant (as the algorithm described matches on hosts rather than on domains, unless the provided header value is same-origin-domain) but I don't think that's what you'd actually want the headers to do. This might also be a spec bug?
Thisnis the first time I'm reading about this header, but if you know more you should file a bug with Firefox to get it confirmed and/or fixed.
Security headers like these are hard to keep up with, there's bound to be a bug in the implementation somewhere. At least it fails safely this time!
I got things completely wrong. The issue was that the wapm.wasm program was doing an HTTP request with a custom "User-Agent", and Firefox was blocking it because of that but showing the wrong message in the console.
Good news is... right now things work as they should in Firefox!
It seems Firefox is not treating the COOP/COEP headers as it should, and it's interpreting `Cross-Origin-Opener-Policy: same-origin` as to only allow the same domain (wapm.io) but not any parent subdomain (registry-cdn.wapm.io), while Chrome supports fully this use case treating both domains as `same-origin`.
In summary, I believe it's a bug in Firefox that I'm not sure how can be bypassed.
EDIT: I got things wrong. The issue is now fixed in Firefox