> I don't actually entirely understand the purpose or effect of Cross-Origin-Embedder-Policy. I thought browsers already blocked cross origin requests without CORS headers in the response that allow it.
CORS applies to XHR/fetch APIs, not browser loading of subresources specified in the HTML of the page.
COEP optionally extends CORS-type protection to subresources.
CORS applies to XHR/fetch APIs, not browser loading of subresources specified in the HTML of the page.
COEP optionally extends CORS-type protection to subresources.