Cross-Origin Embedder Policy (COEP)
COEP ensures that resources loaded from other sources have explicitly given permission to be embedded.
- It is set with the HTTP header:
Cross-Origin-Embedder-Policy: require-corp - with COEP, you can make sure that your website would embed only resources that have CORS (Cross-Origin Resource Sharing) or CORP (Cross-Origin Resource Policy) headers
- can be used also to defend against CSRH (Client-Side Request Hijacking) (Khodayari, Barber, et al., 2024)
It can protect from embedding unwanted:
<script src="https://example.com/script.js"></script><img src="https://example.com/image.png"><iframe src="https://example.com"></iframe><video>, <audio>, <link rel="stylesheet">, <object>, <embed>