Cross-Origin Embedder Policy (COEP).

An HTTP response header that forces every cross-origin subresource a document loads to explicitly opt in via CORS or CORP, completing the cross-origin isolation prerequisites alongside COOP. Pertenece a la categoría de Seguridad de aplicaciones en ciberseguridad.

An HTTP response header that forces every cross-origin subresource a document loads to explicitly opt in via CORS or CORP, completing the cross-origin isolation prerequisites alongside COOP.

Cross-Origin Embedder Policy (`Cross-Origin-Embedder-Policy`) is a browser security header that controls whether a document is allowed to embed cross-origin subresources without an explicit opt-in. With `require-corp`, every image, script, iframe, font, or other cross-origin asset must carry either a CORS response (`Access-Control-Allow-Origin`) or a Cross-Origin-Resource-Policy (CORP) header that authorizes the embed; otherwise the load fails. With `credentialless`, cross-origin requests for no-CORS resources are sent without cookies and treated as anonymous. COEP exists primarily to enable cross-origin isolation: when paired with `Cross-Origin-Opener-Policy: same-origin`, it unlocks high-resolution timers, `SharedArrayBuffer`, and other features that were restricted to mitigate Spectre. Deploying COEP often requires auditing third-party assets to ensure they ship `Cross-Origin-Resource-Policy: cross-origin` or proper CORS.

Las defensas contra Cross-Origin Embedder Policy (COEP) combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.

Nombres alternativos comunes: COEP.