The Cross-Origin-Embedder-Policy (COEP) HTTP header is a security feature that helps prevent cross-origin information leakage by restricting which resources can be embedded within a document. COEP ensures that your application’s resources are only shared with trustworthy origins, reducing the risk of potential security vulnerabilities.
COEP Values
The Cross-Origin-Embedder-Policy header can have two possible values:
unsafe-none: This is the default value, which allows resources to be embedded from any origin without restrictions. This value does not provide any additional security and is equivalent to not setting the header.require-corp: This value enforces a same-origin policy for resources embedded in the document. It requires all embedded resources to have aCross-Origin-Resource-Policyheader with a value ofsame-originorsame-site.
How COEP Works
When the Cross-Origin-Embedder-Policy header is set to require-corp, the browser checks if the embedded resources have the appropriate Cross-Origin-Resource-Policy header. If the embedded resource doesn’t have a matching policy, the browser will block the resource from being loaded.
Additionally, Cross-Origin-Embedder-Policy works in conjunction with the Cross-Origin-Opener-Policy (COOP) header. When both headers are set to their restrictive values (require-corp for COEP and same-origin for COOP), the document is considered to be in a “cross-origin isolated” state. This state enables powerful features like SharedArrayBuffer and high-resolution timers, which are disabled by default due to security concerns.
Example
In this example, a server is configured to send the Cross-Origin-Embedder-Policy header with a value of require-corp. The server also sends the Cross-Origin-Resource-Policy header for its resources.
Request
GET /index.html HTTP/1.1
Host: example.comResponse
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cross-Origin-Embedder-Policy: require-corpWhen a browser receives this response, it will enforce the require-corp policy. This means that all embedded resources must have a Cross-Origin-Resource-Policy header with a value of same-origin or same-site. If a resource does not have the required header, the browser will block it from being loaded.
Summary
The Cross-Origin-Embedder-Policy header is a valuable security feature that helps prevent cross-origin information leakage by restricting which resources can be embedded within a document. By setting the COEP header to require-corp, you can ensure that your application’s resources are only shared with trustworthy origins, reducing the risk of potential security vulnerabilities.
When used in conjunction with the Cross-Origin-Resource-Policy and Cross-Origin-Opener-Policy headers, the Cross-Origin-Embedder-Policy header provides an additional layer of security and enables powerful features like SharedArrayBuffer and high-resolution timers.
