WebUI: set Cross Origin Opener Policy to same-origin

This separates browsing context for different origin sites and prevents
leaking data from it.
This header is only present when using built-in WebUI. Alternative WebUI
is not affected.
https://web.dev/why-coop-coep/#coop

PR #19157.

src/webui/webapplication.cpp

@@ -406,7 +406,10 @@ void WebApplication::configure()
     m_prebuiltHeaders.push_back({Http::HEADER_X_CONTENT_TYPE_OPTIONS, u"nosniff"_qs});
 
     if (!m_isAltUIUsed)
+    {
+        m_prebuiltHeaders.push_back({Http::HEADER_CROSS_ORIGIN_OPENER_POLICY, u"same-origin"_qs});
         m_prebuiltHeaders.push_back({Http::HEADER_REFERRER_POLICY, u"same-origin"_qs});
+    }
 
     const bool isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
     if (isClickjackingProtectionEnabled)