Table of Content
- Browser Compatibility
- How to modify Cross-Origin-Embedder-Policy header
The Cross-Origin-Embedder-Policy (COEP) header is a security feature introduced to web servers that enables isolation policies between resources on different origins. It mitigates certain attacks such as Meltdown and Spectre by enforcing checks on cross-origin requests, telling the browser to load resources that are only loadable across origins with the right set of security headers.
Below is the standard syntax for the Cross-Origin-Embedder-Policy header.
The Cross-Origin-Embedder-Policy header consists of two possible directive values:
unsafe-none: This is the default value if not specified. It means there's no restriction on the included resources.
require-corp: This allows the document to load resources only from the same-site origin but with the correct cross-origin resource policy.
These are common ways to set the Cross-Origin-Embedder-Policy header in HTTP response:
- For unsafe-none:
- For require-corp:
How to modify Cross-Origin-Embedder-Policy header
The ModHeader is a Chrome extension that allows users to modify HTTP request headers. Here's an example of how to modify Cross-Origin-Embedder-Policy header:
- Add the ModHeader extension to your Chrome browser.
- Click on the ModHeader icon located in the browser toolbar.
- In the 'Request Headers' section, click on the '+' button to add a new header.
- Enter 'Cross-Origin-Embedder-Policy' in the name field, and 'require-corp' (or 'unsafe-none') in the value field.
- Now, each time you make a request in your browser using the same tab, the Cross-Origin-Embedder-Policy header will have the specified value.
This modification can be useful to test the behavior of a site with different Cross-Origin-Embedder-Policy header values, helping to debug cross-origin policy issues during development.