Run Chrome canary (>=92, 93 is ideal), using the CrossOriginEmbedderPolicyCredentialless feature flag.


      google-chrome-unstable
      --enable-features=CrossOriginEmbedderPolicyCredentialless

This document is using the headers:

Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: credentialless

If both headers are set and Chrome feature flag is correctly declared. This should grant the crossOriginIsolated capability. is_coi

An image loaded in no-cors mode (default). Cookies aren't sent. It should always load.

An image loaded in cors mode (crossorigin="use-credentials"). Cookies are sent, but CORS is checked. On this website this is blocked.

iframe with COEP:unsafe-none. It shouldn't load.

iframe with COEP:credentialless. It should load.

iframe with COEP:require-corp. It should load.