HTML

Structure of content on the web

  • Web APIs

    Interfaces for building web applications

  • Learn
  • HTTP Observatory

    Scan a website for free

  • HTTP
  • An overview of HTTP
  • Compression in HTTP
  • Redirections in HTTP
  • Connection management in HTTP/1.x
  • HTTP Client hints
  • Security and privacy
    1. Permissions Policy
    2. Headers
  • References
  • HTTP headers
    1. Accept-Language
    2. Access-Control-Allow-Credentials
    3. Access-Control-Expose-Headers
    4. Age
    5. Attribution-Reporting-Eligible
    6. Attribution-Reporting-Register-Source
    7. Attribution-Reporting-Register-Trigger
    8. Connection
    9. Content-DPR
    10. Content-Location
    11. Content-Type
    12. Critical-CH
    13. Date
    14. DNT
    15. Downlink
    16. DPR
    17. Early-Data
    18. ECT
    19. Expect-CT
    20. Host
    21. If-Range
    22. Link
    23. NEL
    24. No-Vary-Search
    25. Observe-Browsing-Topics
    26. Origin-Agent-Cluster
    27. Permissions-Policy
    28. Pragma
    29. Range
    30. Report-To
    31. Reporting-Endpoints
    32. RTT
    33. Save-Data
    34. Sec-Browsing-Topics
    35. Sec-CH-Prefers-Color-Scheme
    36. Sec-CH-Prefers-Reduced-Motion
    37. Sec-CH-Prefers-Reduced-Transparency
    38. Sec-CH-UA
    39. Sec-CH-UA-Arch
    40. Sec-CH-UA-Bitness
    41. Sec-CH-UA-Form-Factors
    42. Sec-CH-UA-Full-Version
    43. Sec-CH-UA-Full-Version-List
    44. Sec-CH-UA-Mobile
    45. Sec-CH-UA-Model
    46. Sec-CH-UA-Platform
    47. Sec-CH-UA-Platform-Version
    48. Sec-CH-UA-WoW64
    49. Sec-Fetch-User
    50. Sec-GPC
    51. Sec-WebSocket-Key
    52. Server-Timing
    53. Set-Cookie
    54. Set-Login
    55. Speculation-Rules
    56. Supports-Loading-Mode
    57. Tk
    58. Upgrade-Insecure-Requests
    59. Viewport-Width
    60. Warning
    61. Width
    62. X-DNS-Prefetch-Control
    63. X-Forwarded-For
    64. X-Forwarded-Host
    65. X-Forwarded-Proto
    66. X-Permitted-Cross-Domain-Policies
    67. X-Powered-By
    68. X-Robots-Tag
    69. X-XSS-Protection
  • HTTP request methods
    1. HEAD
    2. PUT
    3. 102 Processing
    4. 202 Accepted
    5. 206 Partial Content
    6. 300 Multiple Choices
    7. 304 Not Modified
    8. 401 Unauthorized
    9. 405 Method Not Allowed
    10. 409 Conflict
    11. 413 Content Too Large
    12. 417 Expectation Failed
    13. 423 Locked
    14. 428 Precondition Required
    15. 500 Internal Server Error
    16. 504 Gateway Timeout
    17. 508 Loop Detected
    18. CSP: block-all-mixed-content
    19. CSP: fenced-frame-src
    20. CSP: frame-src
    21. CSP: object-src
    22. CSP: prefetch-src
    23. CSP: report-uri
    24. CSP: require-trusted-types-for
    25. CSP: script-src-elem
    26. CSP: trusted-types
    27. Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'
    28. Reason: CORS request did not succeed
    29. Reason: Did not find method in CORS header 'Access-Control-Allow-Methods'
    30. Reason: missing token 'xyz' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel
    31. Permissions-Policy: accelerometer
    32. Permissions-Policy: ambient-light-sensor
    33. Permissions-Policy: attribution-reporting
    34. Permissions-Policy: autoplay
    35. Permissions-Policy: bluetooth
    36. Permissions-Policy: browsing-topics
    37. Permissions-Policy: camera
    38. Permissions-Policy: compute-pressure
    39. Permissions-Policy: cross-origin-isolated
    40. Permissions-Policy: display-capture
    41. Permissions-Policy: document-domain
    42. Permissions-Policy: encrypted-media
    43. Permissions-Policy: fullscreen
    44. Permissions-Policy: gamepad
    45. Permissions-Policy: geolocation
    46. Permissions-Policy: gyroscope
    47. Permissions-Policy: hid
    48. Permissions-Policy: identity-credentials-get
    49. Permissions-Policy: idle-detection
    50. Permissions-Policy: local-fonts
    51. Permissions-Policy: magnetometer
    52. Permissions-Policy: microphone
    53. Permissions-Policy: midi
    54. Permissions-Policy: otp-credentials
    55. Permissions-Policy: payment
    56. Permissions-Policy: picture-in-picture
    57. Permissions-Policy: publickey-credentials-create
    58. Permissions-Policy: publickey-credentials-get
    59. Permissions-Policy: screen-wake-lock
    60. Permissions-Policy: serial
    61. Permissions-Policy: speaker-selection
    62. Permissions-Policy: storage-access
    63. Permissions-Policy: usb
    64. Permissions-Policy: web-share
    65. Permissions-Policy: window-management
    66. Permissions-Policy: xr-spatial-tracking
  • response header configures the current document's policy for loading and embedding cross-origin resources.

    The policy for whether a particular resource is embeddable cross-site may be defined for that resource using the CORS. If neither of these policies are set, then by default, resources can be loaded or embedded into a document as though they had a CORP value of cross-site.

    The Cross-Origin-Embedder-Policy allows you to require that CORP or CORS headers be set in order to load cross-site resources into the current document. You can also set the policy to keep the default behaviour, or to allow the resources to be loaded, but strip any credentials that might otherwise be sent. The policy applies to loaded resources, and resources in <iframe>s and nested frames.

    Note: The Cross-Origin-Embedder-Policy doesn't override or affect the embedding behaviour for a resource for which CORP or CORS has been set. If CORP restricts a resource to being embedded only same-origin, it won't be loaded cross-origin into a resource irrespective of the COEP value.

    Header type Response header
    Forbidden response header name No

    • Syntax

    http
    Cross-Origin-Embedder-Policy: unsafe-none | require-corp | credentialless

    Directives

    unsafe-none

    Allows the document to load cross-origin resources without giving explicit permission through the CORS protocol or the Cross-Origin-Resource-Policy header. This is the default value.

    require-corp

    A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin.

    Cross-origin resource loading will be blocked by COEP unless:

    • The resource is requested in no-cors mode and the response includes a Cross-Origin-Resource-Policy header that allows it to be loaded into the document origin.
    • The resource is requested in cors mode and the resource supports and is permitted by CORS. This can be done, for example, in HTML using the {mode="cors"}.
    credentialless

    A document can load cross-origin resources that are requested in Cross-Origin-Resource-Policy header. In this case requests are sent without credentials: cookies are omitted in the request, and ignored in the response.

    The cross-origin loading behaviour for other request modes is the same as for require-corp. For example, a cross-origin resource requested in cors mode must support (and be permitted by) CORS.

    Examples

    Features that depend on cross-origin isolation

    Certain features, such as access to cross-origin isolated.

    To use these features in a document, you will need to set the COEP header with a value of require-corp or credentialless, and the Cross-Origin-Opener-Policy header to same-origin. In addition the feature must not be blocked by Permissions-Policy: cross-origin-isolated.

    http
    Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp

    You can use the WorkerGlobalScope.crossOriginIsolated properties to check if the features are restricted in window and worker contexts, respectively:

    js
    const myWorker = new Worker("worker.js");

if (crossOriginIsolated) {
  const buffer = new SharedArrayBuffer(16);
  myWorker.postMessage(buffer);
} else {
  const buffer = new ArrayBuffer(16);
  myWorker.postMessage(buffer);
}

    Avoiding COEP blockage with CORS

    If you enable COEP using require-corp and want to embed a cross origin resource that supports CORS, you will need to explicitly specify that it is requested in cors mode.

    For example, to fetch an image declared in HTML from a third-party site that supports CORS, you can use the crossorigin attribute so that it is requested in cors mode:

    html
    <img src="/cats-d8c4vu/thirdparty.com/img.png" crossorigin />

    You can similarly use the HTMLScriptElement.crossOrigin attribute or fetch with { mode: 'cors' } to request a file in CORS mode using JavaScript.

    If CORS is not supported for some images, a COEP value of credentialless can be used as an alternative to load the image without any explicit opt-in from the cross-origin server, at the cost of requesting it without cookies.

    Specifications

    Specification
    HTML
    # coep

    Browser compatibility

    BCD tables only load in the browser

    See also