Without Cross-Origin-Embedder-Policy, the browser cannot verify that cross-origin resources embedded in your page have opted into being loaded, leaving side-channel data leaks open via timing attacks on resource loading behavior. COEP is also the gate for SharedArrayBuffer and performance.measureUserAgentSpecificMemory() — both blocked by default until cross-origin isolation is established. CWE-1021 applies to cross-origin resource embedding without explicit consent. OWASP A05 identifies missing cross-origin isolation headers as a hardening gap for apps processing sensitive data.
Medium because COEP is required for full cross-origin isolation and `SharedArrayBuffer` access, and its absence represents an incomplete security posture even when COOP is configured.
Set Cross-Origin-Embedder-Policy in next.config.js. Start with credentialless for compatibility — it allows CDN images and fonts without requiring them to set CORP headers.
// next.config.js
headers: [{
source: '/(.*)',
headers: [{
key: 'Cross-Origin-Embedder-Policy',
value: 'credentialless'
}]
}]
Test all third-party embeds (YouTube iframes, payment widgets, chat tools) after deployment — COEP can break embeds that don't set permissive CORP headers. Switch to require-corp only after auditing every embedded resource.
ID: security-headers-ii.cross-origin-isolation.coep-configured
Severity: medium
What to look for: Check framework config, middleware, and deployment config for a Cross-Origin-Embedder-Policy (COEP) header. Acceptable values: require-corp (strictest — all cross-origin resources must opt in via CORP) or credentialless (allows cross-origin resources without credentials, compatible with CDN images and fonts). COEP is required for SharedArrayBuffer access and full cross-origin isolation.
Pass criteria: COEP header is set to require-corp or credentialless — at least 1 location must configure it. Quote the actual header value and count all locations where COEP is configured.
Fail criteria: No COEP header configured.
Skip (N/A) when: No SharedArrayBuffer usage detected and the project does not explicitly need cross-origin isolation. Also skip if the project loads many third-party resources that would break under COEP (document the reason).
Detail on fail: "No Cross-Origin-Embedder-Policy header configured — cross-origin isolation not enabled" or "COEP not set — SharedArrayBuffer access requires cross-origin isolation"
Remediation: COEP ensures that all resources loaded by the page have explicitly opted into being loaded, preventing cross-origin data leaks:
// next.config.js
headers: [{
key: 'Cross-Origin-Embedder-Policy',
value: 'credentialless'
}]
Use credentialless for compatibility with CDN-hosted images and fonts. Use require-corp for maximum isolation (requires all cross-origin resources to set CORP headers). Test thoroughly — COEP can break third-party embeds.