The HTTP Cross-Origin-Embedder-Policy response header is included by the server to prevent a document from accessing cross-origin resources that do not explicitly permit it.


The Cross-Origin-Embedder-Policy response header is a security measure that helps to prevent certain types of attacks, yet can take advantage of sharing resources from a different origin.

There are two directives, which are unsafe-none and require-corp.


The unsafe-none directive grants the document permission to access cross-origin resources without first receiving permissions using the CORS protocol or the HTTP Cross-Origin-Resource-Policy header. This is the default value.


The require-corp directive implies that the document can only access resources that are either from the same origin or have been specifically granted permission otherwise. If the cross-origin resource supports the CORS protocol then either the cross-origin attribute or the HTTP Cross-Origin-Resource-Policy header must be used to access it.


In the example, the require-corp directive gives the client access to certain features such as a SharedArrayBuffer. It is important to note that the HTTP Cross-Origin-Opener-Policy header is also required.

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin


The HTTP Cross-Origin-Embedder-Policy response header prevents a document from accessing cross-origin resources that don’t explicitly grant permission to do so.

See also

Last updated: June 20, 2022