The HTTP Cross-Origin-Embedder-Policy response header is included by the server to prevent a document from accessing cross-origin resources that do not explicitly permit it.
The Cross-Origin-Embedder-Policy response header is a security measure that helps to prevent certain types of attacks, yet can take advantage of sharing resources from a different origin.
There are two directives, which are
unsafe-none directive grants the document permission to access cross-origin resources without first receiving permissions using the CORS protocol or the HTTP Cross-Origin-Resource-Policy header. This is the default value.
require-corp directive implies that the document can only access resources that are either from the same origin or have been specifically granted permission otherwise. If the cross-origin resource supports the CORS protocol then either the
cross-origin attribute or the HTTP Cross-Origin-Resource-Policy header must be used to access it.
In the example, the
require-corp directive gives the client access to certain features such as a SharedArrayBuffer. It is important to note that the HTTP Cross-Origin-Opener-Policy header is also required.
Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin
The HTTP Cross-Origin-Embedder-Policy response header prevents a document from accessing cross-origin resources that don’t explicitly grant permission to do so.