Cross-Origin-Embedder-Policy
The HTTP Cross-Origin-Embedder-Policy (COEP) response header controls whether a document allows loading cross-origin resources, enabling cross-origin isolation when paired with Cross-Origin-Opener-Policy.
Usage
The Cross-Origin-Embedder-Policy header prevents a
document from loading cross-origin resources unless
those resources explicitly grant permission. Enabling
COEP is one of the two requirements for achieving
cross-origin isolation, which unlocks access to
SharedArrayBuffer, performance.measureUserAgentSpecificMemory(),
and high-resolution timers. The other requirement is
setting
Cross-Origin-Opener-Policy
to same-origin.
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
The require-corp directive is the strictest mode. All
cross-origin subresources must include
Cross-Origin-Resource-Policy
headers or be loaded through CORS. This is
effective but creates a deployment barrier when
embedding third-party resources like images, scripts,
or ads from servers outside of direct control.
The credentialless directive addresses this barrier.
Instead of requiring CORP or CORS headers on every
cross-origin resource, the browser strips credentials
(cookies, client certificates) from
no-CORS
cross-origin requests. Resources fetched without
credentials are treated as publicly available and safe
to load. This enables cross-origin isolation without
requiring cooperation from third-party servers.
Cross-origin iframes remain restricted under both
require-corp and credentialless. An iframe loaded
from a different origin still needs its own COEP and
CORP headers. The credentialless attribute on the
<iframe> element solves this by creating an ephemeral
storage partition for the embedded document, isolating
the iframe from the parent page's cookies and storage.
Storage created within a credentialless iframe is
cleared when the top-level document unloads.
<iframe credentialless
src="https://third-party.example.re">
</iframe>
Note
The credentialless directive is supported by
Chromium-based browsers and Firefox. The
credentialless iframe attribute is supported in
Chromium-based browsers only.
Directives
unsafe-none
The default value. The document loads cross-origin resources without restrictions. No cross-origin isolation is established. CORS and Cross-Origin-Resource-Policy are not required.
require-corp
The document loads cross-origin resources only when
they are served with
Cross-Origin-Resource-Policy
set to cross-origin or loaded through CORS
with the crossorigin attribute. Same-origin resources
load without additional headers. This is the strictest
mode and provides full cross-origin isolation when
paired with
Cross-Origin-Opener-Policy:
same-origin.
credentialless
The document loads cross-origin no-CORS resources
without credentials. The browser strips cookies and
other credentials from these requests, treating the
responses as publicly available. Resources loaded
through CORS with explicit credential modes
(crossorigin="use-credentials") still include
credentials and require proper CORS configuration.
This directive establishes cross-origin isolation like
require-corp but removes the requirement for
third-party servers to add CORP headers.
Example
Cross-origin isolation using require-corp. All
cross-origin subresources must have CORP or CORS
headers. This enables SharedArrayBuffer and other
isolated features.
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-origin isolation using credentialless. No-CORS
cross-origin requests are sent without cookies,
removing the need for third-party CORP headers.
Cross-Origin-Embedder-Policy: credentialless
Cross-Origin-Opener-Policy: same-origin
A page using credentialless COEP with a third-party
iframe. The credentialless attribute on the iframe
creates an ephemeral context isolated from the parent's
cookies and storage.
Cross-Origin-Embedder-Policy: credentialless
Cross-Origin-Opener-Policy: same-origin
<iframe credentialless
src="https://ads.example.re/banner">
</iframe>
Explicitly opting a cross-origin image into credentialed
loading under credentialless COEP. The crossorigin
attribute triggers a CORS request with credentials,
requiring proper CORS configuration on the server.
<img src="https://cdn.example.re/avatar.jpg"
crossorigin="use-credentials">
Takeaway
The Cross-Origin-Embedder-Policy header controls
cross-origin resource loading and enables cross-origin
isolation when paired with
Cross-Origin-Opener-Policy.
The credentialless directive and the credentialless
iframe attribute simplify deployment by removing the
need for third-party servers to add CORP headers.
See also
- COEP: credentialless (Chrome Developers)
- IFrame credentialless (Chrome Developers)
- COEP: credentialless (WICG)
- Cross-Origin-Opener-Policy
- Cross-Origin-Resource-Policy
- Cors
- HTTP headers