I'm seeing the following error in my browser console when using Helmet.js:
net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep
What should I do?
I'm seeing the following error in my browser console when using Helmet.js:
net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep
What should I do?
tl;dr: disable the
Cross-Origin-Embedder-Policy
header, enabled by default in Helmet v5.Helmet v5 sets the the
Cross-Origin-Embedder-Policy
HTTP response header torequire-corp
. (This was possible in Helmet v4, but it was off by default, so most people didn't use it.)Setting this header means that loading cross-origin resources (like an image from another resource) is trickier. For example, loading a cross-origin like this...
...won't work unless
example.com
explicitly allows it, by setting some response headers of its own. Your browser will try to loadexample.com/image.png
, and if it's not explicitly allowed, your browser will drop the response.To fix this, you can prevent Helmet from setting the
Cross-Origin-Embedder-Policy
header, like this:I made a small sample app you can use to play around with this. In my testing, it doesn't seem to work in HTTP but it does over HTTPS, which might explain why things only break in production.