Cross-Origin-Embedder-PolicyCross-Origin-Embedder-Policy (COEP) is a security header that forces every cross-origin subresource a document loads (images, scripts, iframes, etc.) to have explicitly opted in to being embedded before it may load. With require-corp, cross-origin resources without permission are blocked.
With require-corp, every cross-origin subresource must permit loading either via a Cross-Origin-Resource-Policy header (same-site/cross-origin) or via CORS (Access-Control-Allow-Origin plus the crossorigin attribute). Without permission the browser will not load the resource. This is a precondition to keep embedded resources from leaking into an isolated process and being read via side channels.
COEP's key role is establishing crossOriginIsolated together with COOP. Only when COOP: same-origin and COEP: require-corp (or credentialless) are in place does self.crossOriginIsolated become true, unlocking SharedArrayBuffer and high-resolution timers. In practice, running WebAssembly threads or heavy workloads like ffmpeg.wasm in the browser effectively requires COEP.
require-corp can break many third-party assets that lack CORP/CORS, raising the adoption bar. The relaxed credentialless value sends cross-origin no-cors requests without cookies/credentials, permitting loads without CORP; but since credentials are dropped, login-based images and similar may behave unexpectedly.
Cross-Origin-Embedder-Policy: <unsafe-none | require-corp | credentialless>[; report-to="<group>"]e.g. Cross-Origin-Embedder-Policy: require-corp
unsafe-none | Default. Does not require any opt-in from embedded resources. |
require-corp | Every cross-origin subresource must explicitly permit loading via CORP or CORS. |
credentialless | Sends cross-origin no-cors requests without credentials (cookies), allowing loads without CORP; a relaxed alternative to require-corp. |
report-to="<group>" | Reporting-Endpoints group to which COEP violations (e.g. blocked resources) are reported. |