Cross-Origin-Embedder-Policy (COEP) is an HTTP response header that requires every cross-origin resource a page loads to explicitly grant permission (via CORP or CORS). Set to require-corp, it works with COOP to enable cross-origin isolation and blocks silently embedding resources that have not opted in.
COEP ensures a document only loads cross-origin resources that have explicitly allowed themselves to be embedded. Together with COOP it creates a cross-origin-isolated context, unlocking powerful APIs while reducing the risk of leaking data through embedded resources.
Check your website
See how your site handles cross-origin-embedder-policy (coep): controlling what you embed — free, no account needed.
For business owners
COEP is specialised hardening, mainly relevant if your app needs advanced browser capabilities or handles sensitive data. It enforces that everything you embed has consented, reducing certain data-leak risks. It requires care because it can block resources that have not opted in.
How it works (technical)
Set on document responses:
Cross-Origin-Embedder-Policy: require-corp
With require-corp, every cross-origin subresource (images, scripts, fonts, iframes) must send Cross-Origin-Resource-Policy: cross-origin or pass a CORS check, or the browser blocks it. An alternative value, credentialless, loads cross-origin resources without credentials instead of requiring opt-in. COEP + COOP (same-origin) yields cross-origin isolation, required for SharedArrayBuffer and precise timers. Audit all third-party assets before enabling, as non-compliant ones will fail to load.
Real-world example
A data-visualisation tool needed SharedArrayBuffer. Enabling COEP: require-corp broke a couple of third-party images that lacked CORP headers; the team switched those to a compliant CDN (or credentialless mode), achieved cross-origin isolation and shipped the feature safely.
Why it matters
COEP enforces explicit consent for embedded cross-origin content and unlocks isolated features. Advanced security assessments treat it as a strong hardening indicator.
How to fix it
Audit every cross-origin resource your pages load.
Ensure each sends
Cross-Origin-Resource-Policyor passes CORS.Add
Cross-Origin-Embedder-Policy: require-corp(orcredentialless).Combine with
COOP: same-originfor full cross-origin isolation.Test thoroughly — non-compliant resources will be blocked.
Best practices
Only enable COEP when you need isolation or its embedding guarantees.
Prefer
credentiallessif updating every third-party resource is impractical.Roll out behind a report-only phase where tooling allows.
Common mistakes
Enabling require-corp without auditing third-party assets, breaking images or scripts.
Assuming COEP alone enables isolation (COOP is also required).
Ignoring the credentialless option that eases adoption.
Frequently asked questions
What does COEP do?
It requires cross-origin resources to explicitly opt in to being embedded (via CORP or CORS), otherwise the browser blocks them.
Why enable COEP?
To achieve cross-origin isolation (with COOP) for powerful APIs, and to reduce the risk of embedding resources that have not consented.
What breaks when I enable COEP?
Any cross-origin resource without CORP or valid CORS will fail to load. Audit and fix third-party assets first, or use credentialless mode.
What is credentialless mode?
A COEP value that loads cross-origin resources without credentials instead of requiring them to send CORP, easing adoption.
Do I need COEP and COOP together?
For cross-origin isolation, yes. COEP: require-corp plus COOP: same-origin creates the isolated context powerful APIs require.
Is COEP required for most sites?
No. It is mainly for apps needing advanced capabilities or stronger embedding guarantees. Many sites never need it.
How do I test COEP safely?
Roll out on staging, audit which resources get blocked, fix or replace them, and verify functionality before production.
Does COEP affect same-origin resources?
No. It governs cross-origin resources; your own same-origin assets are unaffected.
Put this into practice
See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.
Scan your website free