Cross-Origin Embedder Policy
Stay organized with collections
Save and categorize content based on your preferences.
Cross-Origin-Embedder-Policy (COEP) is a response header that lets a
page opt in to more restrictive handling. The Google Publisher Tag
(GPT) does not yet support pages served with this restriction;
thus, we recommend publishers affected by Chrome's
SharedArrayBuffer deprecation opt their site out by
applying for the reverse Origin Trial until Chrome
supports combining COEP with ads.
How do I know if my site is affected?
Chrome has documentation describing how to use Chrome DevTools
to determine whether your site uses SharedArrayBuffer. If DevTools tells you
that the use of SharedArrayBuffer is in a third-party script, inquire from the
vendor whether SharedArrayBuffer is required for the script's operation.
Why am I seeing a SharedArrayBuffer deprecation warning in desktop Chrome?
Because SharedArrayBuffer can be used to create a high resolution timer, it
can make Spectre-style attacks more efficient. Browsers are limiting
its use to pages that opt in to COEP. That limitation is already in place for
Firefox and Android Chrome, and
Desktop Chrome will be applying it in version 92.
Why doesn't GPT support COEP yet?
Displaying ads requires embedding cross-origin content, and COEP requires that
content to explicitly opt in to cross-origin embedding. This requires
changes to every resource in every ad, both ones served by Google and ones
served by third parties. We are working with Chrome on changes
to allow COEP sites to include ads without requiring such extensive changes.
What are my options?
If your site requires SharedArrayBuffer, Chrome is offering a per-site opt-out
through a reverse Origin Trial, which allows use of
SharedArrayBuffer in Chrome 92 and later. Chrome plans to continue
supporting this opt-out until support for embedding
unmodified third-party content is released. At that point we indend to ensure
GPT supports COEP pages.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-10-31 UTC.
[null,null,["Last updated 2024-10-31 UTC."],[[["\u003cp\u003eGoogle Publisher Tag (GPT) currently doesn't support pages using Cross-Origin-Embedder-Policy (COEP) due to restrictions on cross-origin embedding.\u003c/p\u003e\n"],["\u003cp\u003ePublishers affected by Chrome's \u003ccode\u003eSharedArrayBuffer\u003c/code\u003e deprecation are recommended to opt out using the reverse Origin Trial until GPT supports COEP.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eSharedArrayBuffer\u003c/code\u003e is being restricted due to security concerns, prompting Chrome to require COEP for its usage.\u003c/p\u003e\n"],["\u003cp\u003eGPT's lack of COEP support stems from the need for extensive changes across all ad resources, both Google's and third-party's, to explicitly opt into cross-origin embedding.\u003c/p\u003e\n"],["\u003cp\u003eChrome offers a per-site opt-out via a reverse Origin Trial, enabling \u003ccode\u003eSharedArrayBuffer\u003c/code\u003e use until broader COEP support for embedded content arrives.\u003c/p\u003e\n"]]],["`Cross-Origin-Embedder-Policy` (COEP) restricts embedding, impacting Google Publisher Tag (GPT) functionality. Chrome limits `SharedArrayBuffer` usage to COEP-enabled pages due to security risks. If `SharedArrayBuffer` is necessary, publishers can opt out via a reverse Origin Trial. Chrome DevTools can check `SharedArrayBuffer` usage. GPT doesn't support COEP yet because ads require cross-origin content embedding, needing broad changes; Chrome and Google are working on solutions. The opt-out will be available until third party changes are rolled out.\n"],null,["`Cross-Origin-Embedder-Policy` ([COEP](//developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy)) is a response header that lets a\npage opt in to more restrictive handling. The Google Publisher Tag\n(GPT) does not yet support pages served with this restriction;\nthus, we recommend publishers affected by Chrome's\n[`SharedArrayBuffer`](//developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer) deprecation opt their site out by\n[applying for the reverse Origin Trial](//developer.chrome.com/blog/enabling-shared-array-buffer/#origin-trial) until Chrome\nsupports combining COEP with ads.\n\nHow do I know if my site is affected?\n\nChrome has [documentation](//web.dev/cross-origin-isolation-guide/#determine-where-in-your-website-sharedarraybuffer-is-used) describing how to use Chrome DevTools\nto determine whether your site uses `SharedArrayBuffer`. If DevTools tells you\nthat the use of `SharedArrayBuffer` is in a third-party script, inquire from the\nvendor whether `SharedArrayBuffer` is required for the script's operation.\n\nWhy am I seeing a `SharedArrayBuffer` deprecation warning in desktop Chrome?\n\nBecause `SharedArrayBuffer` can be used to create a high resolution timer, it\ncan make [Spectre](//security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html)-style attacks more efficient. Browsers are limiting\nits use to pages that opt in to COEP. That limitation is already in place for\n[Firefox](//developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer/Planned_changes) and [Android Chrome](//developer.chrome.com/blog/enabling-shared-array-buffer/), and\n[Desktop Chrome](//developer.chrome.com/blog/enabling-shared-array-buffer/) will be applying it in version 92.\n\nWhy doesn't GPT support COEP yet?\n\nDisplaying ads requires embedding cross-origin content, and COEP requires that\ncontent to [explicitly opt in to](//developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) cross-origin embedding. This requires\nchanges to every resource in every ad, both ones served by Google and ones\nserved by third parties. We are working with Chrome on [changes](//www.chromestatus.com/feature/4918234241302528)\nto allow COEP sites to include ads without requiring such extensive changes.\n\nWhat are my options?\n\nIf your site requires `SharedArrayBuffer`, Chrome is offering a per-site opt-out\nthrough a [reverse Origin Trial](//developer.chrome.com/blog/enabling-shared-array-buffer/#origin-trial), which allows use of\n`SharedArrayBuffer` in Chrome 92 and later. Chrome plans to [continue\nsupporting this opt-out](//groups.google.com/a/chromium.org/g/blink-dev/c/1NKvbIj3dq4/m/ToXFE-m7AgAJ) until support for embedding\nunmodified third-party content is released. At that point we indend to ensure\nGPT supports COEP pages."]]