# Cross-Origin Embedder Policy


## What is COEP?
The COEP header allows you to make sure that any cross-origin resources loaded by your page are explicitly permitted to be loaded with either CORS or CORP, or they will be blocked from loading.


## Getting Started
It is highly recommended that sites test COEP in Report Only mode before considering an enforced policy. This can be done by sending the appropriate HTTP response header:

    Cross-Origin-Embedder-Policy-Report-Only: (unsafe-none|require-corp); report-to="default"

As you can see, COEP uses the Reporting API to send reports, so you will need to ensure that you have it enabled:

    Report-To: {"group":"default","max_age":31536000,"endpoints":[{"url":"{URL}"}],"include_subdomains":true}

You can read our documentation on [Getting Started with the Reporting API](/setup/reporting-api/#getting-started) for more information.


## Useful Links
COEP is a relatively new browser technology but there is already plenty of information on how it works and how to configure it for your site:

https://scotthelme.co.uk/coop-and-coep/

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy

https://web.dev/why-coop-coep/

https://web.dev/coop-coep/