Add Cross-Origin-Opener-Policy header to CSP documentation for AppKit social login security

[devin-ai-integration]

Description

This PR adds documentation for the Cross-Origin-Opener-Policy: same-origin-allow-popups header to the Content Security Policy documentation, specifically to protect AppKit Social Login customers from tabnabbing attacks.

Changes made:

• Added the Cross-Origin-Opener-Policy header to the existing CSP example in advanced/security/content-security-policy.mdx
• Added a new explanatory Note section describing the importance of this header for social login security and tabnabbing prevention
• Updated .cspell.json to include "tabnabbing" as an allowed word to resolve spell check errors

This addresses the security recommendation from the Tabnabbing Phishing Attack executive summary to help protect users during OAuth flows with social providers like Google, GitHub, Discord, Apple, Facebook, and Farcaster.

Tests

• Ran pnpm run spell and confirmed no spelling errors (0 issues found in 696 files)
• Ran the changes locally with Mintlify and confirmed that the changes appear as expected
• Ran a grammar check on the updated/created content using ChatGPT

Important Review Points

⚠️ Technical Review Required:

1. Header placement: The Cross-Origin-Opener-Policy header is shown within the CSP code block, but it's technically a separate HTTP header. Please verify if this presentation is clear to developers or if it should be shown separately.

2. Security guidance accuracy: Please review the technical accuracy of the tabnabbing protection explanation and confirm that same-origin-allow-popups is the appropriate value for all AppKit social login scenarios.

3. Documentation consistency: Verify the new Note section follows the existing documentation patterns and formatting standards.

Direct link to the deployed preview files

• Content Security Policy Documentation

---

Link to Devin run: https://app.devin.ai/sessions/c0e51c0e0be34f9083c1bd4fbb70272e

Requested by: TomTom (tomas.rawski@reown.com)

This change implements the security recommendation from the DevRel team (Derek Rein) to document the Cross-Origin-Opener-Policy header for AppKit Social Login customers to minimize tabnabbing attack risks.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

@devin-ai-integration[bot] Please review the tone of voice for the content changes in this PR against Reown's brand guidelines.

📝 Content Review Request

Files to review: 1

• advanced/security/content-security-policy.mdx

Review focus:

• Tone alignment with Reown's brand guidelines
• Clear and accessible language for developers
• Professional yet approachable communication
• Consistent terminology usage

Guidelines summary:

• Clear & Accessible: Translate complex ideas into approachable language
• Professional yet Friendly: Maintain authority while being welcoming
• Developer-Focused: Understand technical audience but remain inclusive
• Avoid: Overly casual language, fear-based messaging, buzzwords, jargon without explanation
• Embrace: Clear explanations, confident tone, transparency, respectful communication

Please analyze the content changes and provide constructive feedback on tone and voice alignment.