Cross-Origin-Embedder-Policy

Enabled Prevent a document from loading certain cross-origin resources.


The HTTP Cross-Origin-Embedder-Policy (COEP) response header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission.

ℹ Read more about this header here.

This header should be configured with COOP

Usage

This header is enabled by default but you can change its behavior like following.

export default defineNuxtConfig({
  // Global
  security: {
    headers: {
      crossOriginEmbedderPolicy: <OPTIONS>,
    },
  },

  // Per route
  routeRules: {
    '/custom-route': {
      security: {
        headers: {
          crossOriginEmbedderPolicy: <OPTIONS>,
        },
      },
    }
  }
})

You can also disable this header by crossOriginEmbedderPolicy: false.

Default value

By default in owaspDefaults: 'compatibility' mode, Nuxt Security will set the following value for this header.

Cross-Origin-Embedder-Policy: credentialless

Available values

The crossOriginEmbedderPolicy header can be configured with following values.

crossOriginEmbedderPolicy: 'unsafe-none' | 'require-corp' | 'credentialless' | false;

unsafe-none

Allows the document to fetch cross-origin resources without giving explicit permission through the CORS protocol or the Cross-Origin-Resource-Policy header.

require-corp

This is the default value. A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin. If a cross origin resource supports CORS, the crossorigin attribute or the Cross-Origin-Resource-Policy header must be used to load it without being blocked by COEP.

credentialless

no-cors cross-origin requests are sent without credentials. In particular, it means Cookies are omitted from the request, and ignored from the response. The responses are allowed without an explicit permission via the Cross-Origin-Resource-Policy header. Navigate responses behave similarly as the require-corp mode: They require Cross-Origin-Resource-Policy response header.

⚠️ Read more about Avoiding blockage with CORShere.

Incompatible resources