Cross-Origin-Embedder-Policy Header Missing or Invalid
Risk Level: Low
Confidence: 2
Description
Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS).
Solution
Ensure that the application/web server sets the Cross-Origin-Embedder-Policy header appropriately, and that it sets the Cross-Origin-Embedder-Policy header to 'require-corp' for documents.
If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Embedder-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-embedder-policy).
Reference
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
CWE ID: 693
WASC ID: 14
Example Instance
URL: https://localhost:44322
Method: GET
Parameter: Cross-Origin-Embedder-Policy
This issue was automatically created from an OWASP ZAP security scan.
Alert detected on: 2026-02-18
Plugin ID: 90004
Scan Metadata
- Branch:
main
- Template Source: NuGet.org
- Clean Template Version: 7.0.5
- Umbraco CMS Version: 17.1.0
Cross-Origin-Embedder-Policy Header Missing or Invalid
Risk Level: Low
Confidence: 2
Description
Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS).
Solution
Ensure that the application/web server sets the Cross-Origin-Embedder-Policy header appropriately, and that it sets the Cross-Origin-Embedder-Policy header to 'require-corp' for documents.
If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Embedder-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-embedder-policy).
Reference
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
CWE ID: 693
WASC ID: 14
Example Instance
URL:
https://localhost:44322Method: GET
Parameter:
Cross-Origin-Embedder-PolicyThis issue was automatically created from an OWASP ZAP security scan.
Alert detected on: 2026-02-18
Plugin ID: 90004
Scan Metadata
main