Cross-Origin-Embedder-Policy
Enabled Prevent a document from loading certain cross-origin resources.
The HTTP Cross-Origin-Embedder-Policy
(COEP) response header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission.
This header should be configured with COOP
Usage
This header is enabled by default but you can change its behavior like following.
export default defineNuxtConfig({
// Global
security: {
headers: {
crossOriginEmbedderPolicy: <OPTIONS>,
},
},
// Per route
routeRules: {
'/custom-route': {
security: {
headers: {
crossOriginEmbedderPolicy: <OPTIONS>,
},
},
}
}
})
You can also disable this header by crossOriginEmbedderPolicy: false
.
Default value
By default in owaspDefaults: 'compatibility'
mode, Nuxt Security will set the following value for this header.
Cross-Origin-Embedder-Policy: credentialless
Available values
The crossOriginEmbedderPolicy
header can be configured with following values.
crossOriginEmbedderPolicy: 'unsafe-none' | 'require-corp' | 'credentialless' | false;
unsafe-none
Allows the document to fetch cross-origin resources without giving explicit permission through the CORS protocol or the Cross-Origin-Resource-Policy header.
require-corp
This is the default value. A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin. If a cross origin resource supports CORS, the crossorigin attribute or the Cross-Origin-Resource-Policy header must be used to load it without being blocked by COEP.
credentialless
no-cors cross-origin requests are sent without credentials. In particular, it means Cookies are omitted from the request, and ignored from the response. The responses are allowed without an explicit permission via the Cross-Origin-Resource-Policy header. Navigate responses behave similarly as the require-corp mode: They require Cross-Origin-Resource-Policy response header.
Avoiding blockage with CORS
here.