Require all assets are loaded
with CORS or CORP enabled

Prevent assets from loading if they did not explicitly opt-in.

Cross-Origin Embedder Policy

  • Make sure all of your 3P assets have opted-in to being loaded
  • A permissive CORS policy or permissive CORP header is required
  • A required step towards Cross-Origin Read Blocking

Easy Setup

COEP is enabled with a single HTTP Response Header, requiring only a single line of code or config.

There is a safe test mode for COEP, meaning you can gather feedback about the impact on your site without any risk.

Multipurpose Feature

Cross-Origin Embedder Policy allows you to ensure that all assets loading on your site have explicitly opted-in to being loaded.

COEP can be used to achieve that worthwhile goal, or as part of a broader effort to enable Cross-Origin Read Blocking.

Related Features

Alongside deploying Cross-Origin Embedder Policy, you should also consider Cross-Origin Opener Policy.

COOP Reports

Ensure process isolation for your origin in the browser.

COOP Reports