Cross-Origin-Embedder-Policy-Report-Only (COEP) header

The HTTP Cross-Origin-Embedder-Policy-Report-Only (COEP) response header configures the current document's report-only policy for loading and embedding cross-origin resources that are requested in no-cors mode.

The header allows website administrators to report on resources that would be blocked by COEP, without preventing them from being loaded. This allows for a softer rollout of enforcement.

Note: See Cross-Origin-Embedder-Policy for more complete information and examples.

The headers are the same except Cross-Origin-Embedder-Policy blocks resources from loading is needed for a document to be cross-origin isolated. In addition, Violation reports from Cross-Origin-Embedder-Policy-Report-Only have a disposition of "reporting" instead of enforce.

Header type	Response header

Syntax

http

Cross-Origin-Embedder-Policy-Report-Only: <token>; <parameter>

Directives

The header should only be set with just one token and a report-to endpoint.

Setting the header more than once or with multiple tokens is equivalent to setting unsafe-none. Omitting report-to makes the header functionally inert.

The <token> value can be one of:

unsafe-none

Allows the document to load cross-origin resources requested in no-cors mode without giving explicit permission through the Cross-Origin-Resource-Policy header. This is the default value.

require-corp

A document can only load resources requested in no-cors mode from the same origin, or resources that have explicitly set the Cross-Origin-Resource-Policy header to a value that allows it to be embedded.

Cross-origin resource loading will be blocked by COEP unless:

The resource is requested in no-cors mode and the response includes a Cross-Origin-Resource-Policy header that allows it to be loaded into the document origin.
The resource is requested in cors mode, for example, in HTML using the crossorigin attribute, or in JavaScript by making a request with {mode="cors"}. Note that requests made in cors mode won't be blocked by COEP or trigger COEP violations, but must still be permitted by CORS.

credentialless

A document can load cross-origin resources that are requested in no-cors mode without an explicit permission via the Cross-Origin-Resource-Policy header. In this case requests are sent without credentials: cookies are omitted in the request, and ignored in the response.

The cross-origin loading behavior for other request modes is the same as for require-corp. For example, a cross-origin resource requested in cors mode must support (and be permitted by) CORS.

The <parameter> is optional, and can be one of:

report-to <endpoint_name> Optional: The <endpoint_name> is the name of the endpoint to which policy violations will be sent. The mapping between the name and a particular endpoint is defined separately in the Reporting-Endpoints HTTP header.