Cross-Origin-Embedder-Policy
Enabled Prevent a document from loading certain cross-origin resources.
The HTTP Cross-Origin-Embedder-Policy
(COEP) response header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission.
This header should be configured with COOP
Usage
This header is enabled by default but you can change its behavior like following.
export default defineNuxtConfig({ // Global security: { headers: { crossOriginEmbedderPolicy: <OPTIONS>, }, }, // Per route routeRules: { '/custom-route': { security: { headers: { crossOriginEmbedderPolicy: <OPTIONS>, }, }, } }})
You can also disable this header by crossOriginEmbedderPolicy: false
.
Default value
By default, Nuxt Security will set following value for this header.
Cross-Origin-Embedder-Policy: require-corp
Available values
The crossOriginEmbedderPolicy
header can be configured with following values.
crossOriginEmbedderPolicy: 'unsafe-none' | 'require-corp' | 'credentialless' | false;
unsafe-none
This is the default value. Allows the document to fetch cross-origin resources without giving explicit permission through the CORS protocol or the Cross-Origin-Resource-Policy header.
require-corp
A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin. If a cross origin resource supports CORS, the crossorigin attribute or the Cross-Origin-Resource-Policy header must be used to load it without being blocked by COEP.
credentialless
no-cors cross-origin requests are sent without credentials. In particular, it means Cookies are omitted from the request, and ignored from the response. The responses are allowed without an explicit permission via the Cross-Origin-Resource-Policy header. Navigate responses behave similarly as the require-corp mode: They require Cross-Origin-Resource-Policy response header.
Avoiding blockage with CORS
here.