Cross-Origin Embedder Policy (COEP).

An HTTP response header that forces every cross-origin subresource a document loads to explicitly opt in via CORS or CORP, completing the cross-origin isolation prerequisites alongside COOP. It belongs to the Application Security category of cybersecurity.

An HTTP response header that forces every cross-origin subresource a document loads to explicitly opt in via CORS or CORP, completing the cross-origin isolation prerequisites alongside COOP.

Cross-Origin Embedder Policy (`Cross-Origin-Embedder-Policy`) is a browser security header that controls whether a document is allowed to embed cross-origin subresources without an explicit opt-in. With `require-corp`, every image, script, iframe, font, or other cross-origin asset must carry either a CORS response (`Access-Control-Allow-Origin`) or a Cross-Origin-Resource-Policy (CORP) header that authorizes the embed; otherwise the load fails. With `credentialless`, cross-origin requests for no-CORS resources are sent without cookies and treated as anonymous. COEP exists primarily to enable cross-origin isolation: when paired with `Cross-Origin-Opener-Policy: same-origin`, it unlocks high-resolution timers, `SharedArrayBuffer`, and other features that were restricted to mitigate Spectre. Deploying COEP often requires auditing third-party assets to ensure they ship `Cross-Origin-Resource-Policy: cross-origin` or proper CORS.

Defences for Cross-Origin Embedder Policy (COEP) typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: COEP.