Cross-Origin-Embedder-Policy (COEP) Not Implemented
Description
The Cross-Origin-Embedder-Policy (COEP) is a security-focused HTTP response header that prevents a document from loading any cross-origin sub-resources (such as images, scripts, or videos) that do not explicitly grant permission. While its partner header, COOP (Cross-Origin-Opener-Policy), isolates the document from other windows and popups, COEP ensures that everything embedded within the page is vetted and trusted.
Remediation
To rectify the absence of the header, the primary recommendation is to implement Cross-Origin-Embedder-Policy with the value require-corp. This ensures the highest level of protection by requiring all sub-resources to explicitly opt-in to being embedded, which in turn enables the "Cross-Origin Isolated" state necessary for high-performance browser features. For applications that rely on third-party integrations but still require enhanced security, the credentialless value can be used as a more flexible alternative to prevent the leaking of sensitive cookies. Regardless of the chosen value, the implementation should be paired with the Cross-Origin-Opener-Policy (COOP) to fully isolate the browsing context. It is highly recommended to first deploy these headers using the -Report-Only suffix; this allows developers to monitor potential breakages in a real-world environment without disrupting the user experience. Finally, when auditing the fix, ensure exact syntax and spelling, as the browser will silently ignore the policy if it encounters any typographical errors.