What the Cross-Origin-Embedder-Policy header does
Cross-Origin-Embedder-Policy, or COEP, is a response header that controls how a page is allowed to load cross origin resources such as images, scripts, fonts, and iframes. By default a browser will happily pull in resources from anywhere. COEP flips that and tells the browser to only embed cross origin content that has explicitly agreed to be loaded. That stricter rule is the price of admission for cross origin isolation, a state that unlocks features browsers otherwise keep locked away.
The header takes two meaningful values. With require-corp, every cross origin resource has to opt in by sending a Cross-Origin-Resource-Policy header or by going through a full CORS check, so anything that stays silent simply fails to load. With credentialless, the browser instead fetches cross origin resources without cookies or other credentials, which means those resources no longer need to opt in at all. The credentialless value is often the gentler path when you cannot control every third party resource your page embeds.
Why isolation matters for SharedArrayBuffer and timers
After the Spectre class of CPU attacks, browsers pulled back access to SharedArrayBuffer and to high precision timers because they could be abused to read memory across origins. Those capabilities now return only when a page is cross origin isolated, and isolation requires COEP working together with a Cross-Origin-Opener-Policy of same-origin. Set just one and you get nothing, so both pieces have to be in place. Once they are, your page can use shared memory, precise timing, and certain measurement APIs that modern apps and games rely on. If you are building anything that needs those features, start by sending Cross-Origin-Embedder-Policy and confirming your embedded resources are ready to opt in. The free cross origin isolation checker confirms whether COEP and COOP line up the way they need to.