Cross-Origin-Embedder-Policy
Response header Security

Overview

Cross-Origin-Embedder-Policy (COEP) is a security header that forces every cross-origin subresource a document loads (images, scripts, iframes, etc.) to have explicitly opted in to being embedded before it may load. With require-corp, cross-origin resources without permission are blocked.

Details

With require-corp, every cross-origin subresource must permit loading either via a Cross-Origin-Resource-Policy header (same-site/cross-origin) or via CORS (Access-Control-Allow-Origin plus the crossorigin attribute). Without permission the browser will not load the resource. This is a precondition to keep embedded resources from leaking into an isolated process and being read via side channels.

COEP's key role is establishing crossOriginIsolated together with COOP. Only when COOP: same-origin and COEP: require-corp (or credentialless) are in place does self.crossOriginIsolated become true, unlocking SharedArrayBuffer and high-resolution timers. In practice, running WebAssembly threads or heavy workloads like ffmpeg.wasm in the browser effectively requires COEP.

require-corp can break many third-party assets that lack CORP/CORS, raising the adoption bar. The relaxed credentialless value sends cross-origin no-cors requests without cookies/credentials, permitting loads without CORP; but since credentials are dropped, login-based images and similar may behave unexpectedly.

Syntax

Cross-Origin-Embedder-Policy: <unsafe-none | require-corp | credentialless>[; report-to="<group>"]

e.g. Cross-Origin-Embedder-Policy: require-corp

Directives / values

unsafe-noneDefault. Does not require any opt-in from embedded resources.
require-corpEvery cross-origin subresource must explicitly permit loading via CORP or CORS.
credentiallessSends cross-origin no-cors requests without credentials (cookies), allowing loads without CORP; a relaxed alternative to require-corp.
report-to="<group>"Reporting-Endpoints group to which COEP violations (e.g. blocked resources) are reported.

Notes

Related headers

Related status codes

Specification