Loading
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Restrict Page Resource Requests with Cross-Origin Embedder Policy (COEP)

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Restrict Page Resource Requests with Cross-Origin Embedder Policy (COEP)

            To safeguard your custom Visualforce pages, only allow content from external sources that trust your page. When you enable the Cross-Origin Embedder Policy (COEP) setting, externally sourced embedded content loads only when the origin explicitly states that your page or domain can load its content. Embedded content can include images, documents, and widgets.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To modify session security settings: Customize Application

            When COEP is enabled, externally sourced embedded content loads only when the external origin allows it via one of these methods.

            Note
            Note To preserve your users’ access to required content, we recommend that you review the expected behavior and test COEP in a sandbox before you enable this feature in production.

            Browser access checks use the headers for both your Visualforce page and the external sites that you access from your page. The combination of Cross-Origin Embedder Policy (COEP) and Cross-Origin Opener Policy (COOP) headers determines whether the Visualforce page and external sites can interact. To learn more about COOP and COEP, we recommend these topics on MDN Web Docs: Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy.

            • Cross Origin Resource Policy (CORP). The externally sourced content includes the Cross-Origin-Resource-Policy header with the cross-origin value.
            • Cross-Origin Resource Sharing (CORS). The external origin includes your page or its domain in its CORS allowlist. When your page makes a request, the external origin responds with the required Access-Control-Allow-* headers that allow your page access to the content.
            1. From Setup, in the Quick Find box, enter Session Settings, and then click Session Settings.
            2. In the Visualforce Cross-Origin Security Headers section, select Cross-Origin Embedder Policy (COEP).
              Note
              Note COEP applies to all your custom Visualforce pages.
            3. Save your changes.

            See Also

             
            Loading
            Salesforce Help | Article