Cross-Origin Embedder Policy


What is COEP?

The COEP header allows you to make sure that any cross-origin resources loaded by your page are explicitly permitted to be loaded with either CORS or CORP, or they will be blocked from loading.


Getting Started

It is highly recommended that sites test COEP in Report Only mode before considering an enforced policy. This can be done by sending the appropriate HTTP response header:

Cross-Origin-Embedder-Policy-Report-Only: (unsafe-none|require-corp); report-to="default"

As you can see, COEP uses the Reporting API to send reports, so you will need to ensure that you have it enabled:

Report-To: {"group":"default","max_age":31536000,"endpoints":[{"url":"{URL}"}],"include_subdomains":true}

You can read our documentation on Getting Started with the Reporting API for more information.


COEP is a relatively new browser technology but there is already plenty of information on how it works and how to configure it for your site:

https://scotthelme.co.uk/coop-and-coep/

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy

https://web.dev/why-coop-coep/

https://web.dev/coop-coep/