Home/ Glossary/ Cross-Origin Embedder Policy

Cross-Origin Embedder Policy (COEP)

Security Glossary - Security Headers

Definition: Cross-Origin Embedder Policy (COEP) controls whether a page can load cross-origin resources that do not explicitly grant permission via CORS or the Cross-Origin-Resource-Policy header. Setting COEP to require-corp means all cross-origin resources must opt in to being loaded, preventing speculative execution attacks like Spectre.

Why You Should Care About COEP

COEP was introduced as a response to the Spectre CPU vulnerability, which showed that malicious JavaScript could use high-resolution timers to read data from other processes in the same browser. By requiring all cross-origin resources to explicitly opt in, COEP ensures that only cooperating origins share a process, making Spectre-style attacks infeasible.

COEP: require-corp combined with COOP: same-origin enables cross-origin isolation, which unlocks browser APIs like SharedArrayBuffer and high-resolution performance timers. These APIs were disabled by default after Spectre because they could be used as timing side channels.

The tradeoff is that COEP can break pages that load resources from third parties that do not set CORS or CORP headers. Images, scripts, or fonts from CDNs or external services may fail to load if they have not been configured to allow cross-origin embedding. The credentialless option is a less strict alternative that allows unauthenticated cross-origin requests.

How to Test for COEP

A security audit checks for the Cross-Origin-Embedder-Policy header. If you need cross-origin isolation, set COEP: require-corp and ensure all cross-origin resources have proper CORS or CORP headers. Use credentialless if require-corp breaks third-party resources.

Run a Security Audit

Questions and Answers

When do I need COEP?
COEP is needed if you want to enable cross-origin isolation for APIs like SharedArrayBuffer. For most websites, it is optional but improves security. If you use WebAssembly threads or high-resolution timers, you need COEP: require-corp with COOP: same-origin.
Will COEP break third-party resources?
It can. Resources from origins that do not set CORS or CORP headers will be blocked. Before enabling require-corp, audit all cross-origin resources. Use COEP: credentialless as a less strict alternative that allows anonymous cross-origin requests.

Learn More

Cross-Origin Opener Policy Cross-Origin Resource Policy Cross-Origin Resource Sharing Security Headers Overview Content Security Policy
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.