HTTPREF
← Back to headers

HTTP Header

Cross-Origin-Embedder-Policy

Security

Controls whether a document is allowed to load cross-origin resources that are not explicitly permitted.

HTTP header reference, syntax, examples, and developer usage.

What is the Cross-Origin-Embedder-Policy header?

The Cross-Origin-Embedder-Policy HTTP header is used to transmit metadata between a client and server as part of HTTP requests or responses.

HTTP headers define how content should be interpreted, cached, authenticated, secured, or processed by browsers and APIs.

Direction

This header may appear in both HTTP requests and responses.

Syntax

Cross-Origin-Embedder-Policy: unsafe-none | require-corp | credentialless

Example

Cross-Origin-Embedder-Policy: require-corp

Common use cases

  • Enabling cross-origin isolation
  • Protecting documents from loading unapproved cross-origin resources
  • Required for advanced browser features like SharedArrayBuffer

Common mistakes

  • Using the header in the wrong request or response context
  • Sending invalid header values
  • Incorrect header syntax
  • Assuming the header automatically changes server behaviour

Practical developer insight

COEP is a core part of cross-origin isolation. In practice, developers often encounter it when trying to use SharedArrayBuffer or other advanced browser features that require a stricter security model. Without a valid COEP policy, some features such as SharedArrayBuffer may be blocked silently or fail in confusing ways.

Related headers

cross-origin-opener-policycross-origin-resource-policycontent-security-policy