Cross-Origin-Embedder-Policy Header

Table of Content

The Cross-Origin-Embedder-Policy (COEP) header is a security feature introduced to web servers that enables isolation policies between resources on different origins. It mitigates certain attacks such as Meltdown and Spectre by enforcing checks on cross-origin requests, telling the browser to load resources that are only loadable across origins with the right set of security headers.


Below is the standard syntax for the Cross-Origin-Embedder-Policy header.

Cross-Origin-Embedder-Policy: value


The Cross-Origin-Embedder-Policy header consists of two possible directive values:

  • unsafe-none: This is the default value if not specified. It means there's no restriction on the included resources.

  • require-corp: This allows the document to load resources only from the same-site origin but with the correct cross-origin resource policy.


These are common ways to set the Cross-Origin-Embedder-Policy header in HTTP response:

  • For unsafe-none: Cross-Origin-Embedder-Policy: unsafe-none
  • For require-corp: Cross-Origin-Embedder-Policy: require-corp

Browser Compatibility

Browser Compatibility
Chrome Supported
Firefox Not Supported
Safari Not Supported
Opera Supported
Edge Supported

How to modify Cross-Origin-Embedder-Policy header

The ModHeader is a Chrome extension that allows users to modify HTTP request headers. Here's an example of how to modify Cross-Origin-Embedder-Policy header:

  1. Add the ModHeader extension to your Chrome browser.
  2. Click on the ModHeader icon located in the browser toolbar.
  3. In the 'Request Headers' section, click on the '+' button to add a new header.
  4. Enter 'Cross-Origin-Embedder-Policy' in the name field, and 'require-corp' (or 'unsafe-none') in the value field.
  5. Now, each time you make a request in your browser using the same tab, the Cross-Origin-Embedder-Policy header will have the specified value.

This modification can be useful to test the behavior of a site with different Cross-Origin-Embedder-Policy header values, helping to debug cross-origin policy issues during development.