Cross-Origin Embedder Policy

Cross-Origin-Embedder-Policy (COEP) is a response header that lets a page opt in to more restrictive handling. The Google Publisher Tag (GPT) does not yet support pages served with this restriction; thus, we recommend publishers affected by Chrome's SharedArrayBuffer deprecation opt their site out by applying for the reverse Origin Trial until Chrome supports combining COEP with ads.

How do I know if my site is affected?

Chrome has documentation describing how to use Chrome DevTools to determine whether your site uses SharedArrayBuffer. If DevTools tells you that the use of SharedArrayBuffer is in a third-party script, inquire from the vendor whether SharedArrayBuffer is required for the script's operation.

Why am I seeing a SharedArrayBuffer deprecation warning in desktop Chrome?

Because SharedArrayBuffer can be used to create a high resolution timer, it can make Spectre-style attacks more efficient. Browsers are limiting its use to pages that opt in to COEP. That limitation is already in place for Firefox and Android Chrome, and Desktop Chrome will be applying it in version 92.

Why doesn't GPT support COEP yet?

Displaying ads requires embedding cross-origin content, and COEP requires that content to explicitly opt in to cross-origin embedding. This requires changes to every resource in every ad, both ones served by Google and ones served by third parties. We are working with Chrome on changes to allow COEP sites to include ads without requiring such extensive changes.

What are my options?

If your site requires SharedArrayBuffer, Chrome is offering a per-site opt-out through a reverse Origin Trial, which allows use of SharedArrayBuffer in Chrome 92 and later. Chrome plans to continue supporting this opt-out until support for embedding unmodified third-party content is released. At that point we indend to ensure GPT supports COEP pages.