COEP / CORP / COOP Headers Reference

Cross-Origin Embedder, Resource, Opener Policy headers with isolation model.

Reference for the COEP, CORP and COOP cross-origin isolation headers, their accepted values and how they combine to enable crossOriginIsolated and SharedArrayBuffer. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What unlocks crossOriginIsolated?

A document is cross-origin isolated only when it sends both Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Embedder-Policy: require-corp (or credentialless). Once isolated, window.crossOriginIsolated is true and SharedArrayBuffer and high-resolution timers become available.

Earning cross-origin isolation

Powerful web APIs such as SharedArrayBuffer and unthrottled performance.now() are gated behind cross-origin isolation. A document earns it by combining three headers — Cross-Origin-Opener-Policy (COOP), Cross-Origin-Embedder-Policy (COEP) and, on its subresources, Cross-Origin-Resource-Policy (CORP). This reference covers each header’s values and computes whether a given COOP/COEP pair isolates the page.

How it works

COOP controls the document’s browsing-context group; COEP controls how it may embed cross-origin resources; CORP is set by each resource to declare who may embed it:

Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: cross-origin

Isolation is granted only when the top-level document sends COOP: same-origin and COEP: require-corp or credentialless. With require-corp, every cross-origin subresource must opt in with a CORP header (or be loaded via CORS) or the browser blocks it. credentialless relaxes that by loading no-CORS cross-origin resources without credentials.

Header values at a glance

Cross-Origin-Opener-Policy (COOP)

ValueEffect
same-originPage is in its own browsing-context group; enables isolation
same-origin-allow-popupsKeeps opener reference for popups you open; does NOT isolate
unsafe-noneDefault; pages can share a group with cross-origin opener

Cross-Origin-Embedder-Policy (COEP)

ValueEffect
require-corpBlocks cross-origin resources that do not send CORP or CORS
credentiallessFetches no-CORS cross-origin resources without credentials
unsafe-noneDefault; no restrictions on embedding

Cross-Origin-Resource-Policy (CORP)

ValueSet byEffect
same-originResourceOnly the same origin may load this resource
same-siteResourceThe same eTLD+1 may load it
cross-originResourceAny origin may load it under COEP require-corp

What isolation actually unlocks

Once self.crossOriginIsolated is true, the following become available:

  • SharedArrayBuffer (used for multi-threaded WebAssembly, Atomics)
  • High-resolution performance.now() (unthrottled timer)
  • postMessage with Atomics.wait() on SharedArrayBuffer objects

These APIs were restricted after the Spectre timing-attack class of vulnerability. Cross-origin isolation proves the page cannot read cross-origin memory, satisfying the security constraint.

Practical rollout order

  1. Audit every cross-origin resource your page loads (images, fonts, scripts, iframes).
  2. Add Cross-Origin-Resource-Policy: cross-origin to resources you control.
  3. For third-party resources you cannot modify, choose COEP: credentialless instead of require-corp.
  4. Set COOP: same-origin and verify no popup flows rely on window.opener.
  5. Deploy both headers and confirm self.crossOriginIsolated === true in the browser console.

Tips and notes

  • Both COOP and COEP must be present and correct — one alone does nothing.
  • Audit subresources before enabling COEP; missing CORP/CORS will break images, scripts and fonts.
  • COOP: same-origin-allow-popups keeps opener for popups you open but does not enable isolation.
  • Check self.crossOriginIsolated at runtime to confirm the page is isolated.
  • Prefer credentialless for faster rollout when you cannot add CORP to every dependency.