Cross-Origin Embedder Policy (COEP)
Cross-Origin Embedder Policy (COEP) 是什么?
Cross-Origin Embedder Policy (COEP)An HTTP response header that forces every cross-origin subresource a document loads to explicitly opt in via CORS or CORP, completing the cross-origin isolation prerequisites alongside COOP.
Cross-Origin Embedder Policy (`Cross-Origin-Embedder-Policy`) is a browser security header that controls whether a document is allowed to embed cross-origin subresources without an explicit opt-in. With `require-corp`, every image, script, iframe, font, or other cross-origin asset must carry either a CORS response (`Access-Control-Allow-Origin`) or a Cross-Origin-Resource-Policy (CORP) header that authorizes the embed; otherwise the load fails. With `credentialless`, cross-origin requests for no-CORS resources are sent without cookies and treated as anonymous. COEP exists primarily to enable cross-origin isolation: when paired with `Cross-Origin-Opener-Policy: same-origin`, it unlocks high-resolution timers, `SharedArrayBuffer`, and other features that were restricted to mitigate Spectre. Deploying COEP often requires auditing third-party assets to ensure they ship `Cross-Origin-Resource-Policy: cross-origin` or proper CORS.
● 示例
- 01
A WebAssembly-heavy app sends `Cross-Origin-Embedder-Policy: require-corp` and `Cross-Origin-Opener-Policy: same-origin` to re-enable `SharedArrayBuffer`.
- 02
A CDN that serves third-party scripts adds `Cross-Origin-Resource-Policy: cross-origin` so its assets remain embeddable in COEP-enforcing pages.
● 常见问题
Cross-Origin Embedder Policy (COEP) 是什么?
An HTTP response header that forces every cross-origin subresource a document loads to explicitly opt in via CORS or CORP, completing the cross-origin isolation prerequisites alongside COOP. 它属于网络安全的 应用安全 分类。
Cross-Origin Embedder Policy (COEP) 是什么意思?
An HTTP response header that forces every cross-origin subresource a document loads to explicitly opt in via CORS or CORP, completing the cross-origin isolation prerequisites alongside COOP.
Cross-Origin Embedder Policy (COEP) 是如何工作的?
Cross-Origin Embedder Policy (`Cross-Origin-Embedder-Policy`) is a browser security header that controls whether a document is allowed to embed cross-origin subresources without an explicit opt-in. With `require-corp`, every image, script, iframe, font, or other cross-origin asset must carry either a CORS response (`Access-Control-Allow-Origin`) or a Cross-Origin-Resource-Policy (CORP) header that authorizes the embed; otherwise the load fails. With `credentialless`, cross-origin requests for no-CORS resources are sent without cookies and treated as anonymous. COEP exists primarily to enable cross-origin isolation: when paired with `Cross-Origin-Opener-Policy: same-origin`, it unlocks high-resolution timers, `SharedArrayBuffer`, and other features that were restricted to mitigate Spectre. Deploying COEP often requires auditing third-party assets to ensure they ship `Cross-Origin-Resource-Policy: cross-origin` or proper CORS.
如何防御 Cross-Origin Embedder Policy (COEP)?
针对 Cross-Origin Embedder Policy (COEP) 的防御通常结合技术控制与运营实践,详见上方完整定义。
Cross-Origin Embedder Policy (COEP) 还有哪些其他名称?
常见的别称包括: COEP。
● 相关术语
- appsec№ 263
Cross-Origin Opener Policy (COOP)
An HTTP response header that lets a document opt into a process-isolated browsing context group, preventing cross-origin windows from inspecting or manipulating it via `window.opener` and friends.
- appsec№ 246
CORS(跨源资源共享)
由浏览器强制执行的机制,允许服务器有选择地放宽同源策略,使一个源上的 JavaScript 可以读取另一个源的响应。
- appsec№ 237
内容安全策略 (CSP)
一种 HTTP 响应头,告诉浏览器允许加载哪些来源的脚本、样式、框架等内容,从而限制 XSS 与数据注入攻击的影响。
- appsec№ 552
HTTP 安全响应头
指示浏览器执行强制 HTTPS、限制嵌入、内容策略和引用来源等防御行为的响应头集合。
- appsec№ 1164
站点隔离
Chromium 的一种安全架构,将不同站点的文档放入独立的操作系统进程,使被攻陷的渲染进程无法读取跨站点数据。
- vulnerabilities№ 1192
Spectre
一类利用 CPU 推测执行,通过基于缓存的侧信道跨越安全边界泄露数据的微架构攻击。
● 参见
- № 911Permissions-Policy