Cross-Origin Embedder Policy — COEP Blocking Resources and SharedArrayBuffer

Overview

Fix Cross-Origin-Embedder-Policy (COEP) errors blocking images, scripts, and iframes while enabling SharedArrayBuffer and cross-origin isolation.

Key Details

• COEP requires all cross-origin resources to explicitly opt-in via CORS or CORP headers
• Enabling COEP (require-corp) is required for cross-origin isolation and SharedArrayBuffer access
• Resources without proper CORS/CORP headers are blocked, breaking images, scripts, and iframes from third parties
• Cross-origin isolation requires both COEP: require-corp and COOP: same-origin headers
• SharedArrayBuffer is needed for WebAssembly threads and high-resolution timers

Common Causes

• Third-party resources (images, ads, analytics scripts) not sending CORS or CORP headers
• Enabling COEP without auditing all cross-origin resources loaded by the page
• iframe content not setting Cross-Origin-Resource-Policy header
• CDN serving resources without Access-Control-Allow-Origin header

Steps

1. 1Audit all cross-origin resources on your page using Chrome DevTools Network tab filtered by 'blocked:mixed-content'
2. 2For resources you control: add Cross-Origin-Resource-Policy: cross-origin header
3. 3For resources you do not control: use crossorigin attribute on img/script tags and verify the server sends CORS headers
4. 4Use COEP: credentialless (instead of require-corp) for a less restrictive policy that still enables isolation
5. 5Test cross-origin isolation: check self.crossOriginIsolated in the browser console

Tags

More in 4xx Client Error

Frequently Asked Questions