Skip to content

ERR_BLOCKED_BY_RESPONSE: Causes & Fix

Key idea:

ERR_BLOCKED_BY_RESPONSE — Chrome blocks a resource due to mismatched Cross-Origin-* headers. Usually COEP (Cross-Origin-Embedder-Policy), COOP (Cross-Origin-Opener-Policy), or CORP (Cross-Origin-Resource-Policy). Appears on sites using SharedArrayBuffer or requiring cross-origin isolation. Fix: configure the correct headers on every domain.

This error blocks HTTPS access. Below: causes, fixes, working config, FAQ.

Check your site's SSL →

Common Causes

  • Page with Cross-Origin-Embedder-Policy: require-corp embeds a resource without CORP
  • COOP: same-origin + popup.open() to another origin
  • X-Frame-Options: DENY on iframe embed
  • CORP: same-site accessed from another eTLD+1
  • Broken CORS preflight with 200 but no Access-Control-Allow-Origin

Step-by-Step Fix

  1. On the embedded resource: Cross-Origin-Resource-Policy: cross-origin
  2. If you own both sides: CORP: same-site
  3. For iframes: Cross-Origin-Opener-Policy: unsafe-none (relaxes)
  4. Check Enterno HTTP Checker — see all response headers
  5. For SharedArrayBuffer: COOP + COEP both on same-origin + require-corp

Check SSL Certificate →

Related SSL Errors

TL;DR

The ERR_BLOCKED_BY_RESPONSE error occurs when a browser blocks a request due to Cross-Origin Embedder Policy (COEP) or Cross-Origin Resource Policy (CORP) settings. To resolve this, ensure your server responds with the correct headers: Cross-Origin-Embedder-Policy: require-corp and Cross-Origin-Resource-Policy: same-origin. Additionally, check for any CORS misconfigurations that may be causing the block.

Understanding ERR_BLOCKED_BY_RESPONSE

The ERR_BLOCKED_BY_RESPONSE error is a security feature in modern browsers designed to protect users from potentially malicious content. This error indicates that a resource was blocked due to the absence of appropriate Cross-Origin policies. COEP and CORP are security headers that help control how resources are shared across different origins. Specifically, COEP requires that any cross-origin resources are explicitly marked as safe via CORP, otherwise, they will be blocked.

When a web application requests resources (like scripts, images, or iframes) from a different origin, the browser checks the response headers to determine if the request should be allowed. If the required headers are not present or are incorrectly configured, the browser will block the request, leading to the ERR_BLOCKED_BY_RESPONSE error.

To better understand this issue, let's look at the two key headers:

  • Cross-Origin-Embedder-Policy (COEP): This header tells the browser that the document requires all of its cross-origin resources to be explicitly marked as safe. The possible values are unsafe-none, require-corp, and require-embedder.
  • Cross-Origin-Resource-Policy (CORP): This header controls how resources can be shared across origins. It can take values like same-origin, same-site, and cross-origin.

Both headers are crucial for maintaining a secure browsing experience and preventing clickjacking, data theft, and other security vulnerabilities.

Fixing ERR_BLOCKED_BY_RESPONSE

To fix the ERR_BLOCKED_BY_RESPONSE error, you need to ensure that your server is configured to send the appropriate headers. Here’s a step-by-step guide to resolving this error:

  1. Check Server Configuration: Depending on your server type (Apache, Nginx, etc.), you need to modify the configuration files to include the necessary headers.

Example for Apache

Header set Cross-Origin-Embedder-Policy "require-corp"
Header set Cross-Origin-Resource-Policy "same-origin"
  1. Check Resource Responses: Verify that all resources your application loads (images, scripts, etc.) respond with the correct CORP headers. You can use browser developer tools to inspect the network requests and their respective headers.
  2. Update Client-Side Code: Ensure that your client-side code properly handles cross-origin requests. If certain resources are being blocked, consider changing their origin or ensuring they are served with the correct headers.
  3. Test Changes: After making the necessary changes, test your application in multiple browsers to ensure that the error is resolved. Use tools like curl to verify the headers directly from the command line:
curl -I https://yourdomain.com/resource

If the headers are correctly set, you should see:

HTTP/1.1 200 OK
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-origin

By following these steps, you should be able to effectively resolve the ERR_BLOCKED_BY_RESPONSE error and ensure your web application operates smoothly across different browsers.

CertificateExpiry, issuer, domains (SAN)
ChainIntermediate and root CA validation
TLS ProtocolTLS version and cipher suite
VulnerabilitiesHeartbleed, POODLE, weak ciphers

Why teams trust us

TLS 1.3
supported
Full
CA chain check
<2s
result
30/14/7
days-to-expiry alerts

How it works

1

Enter domain

2

TLS chain verified

3

Expiry date & vulnerabilities

What Does the SSL Check Cover?

SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.

Certificate Details

Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).

Chain of Trust

Full chain verification: from leaf certificate through intermediates to root CA.

TLS Analysis

Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.

Expiry Alerts

Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.

DV vs OV vs EV Certificates

DV (Domain Validation)
  • Confirms domain ownership only
  • Issued in minutes automatically
  • Free via Let's Encrypt
  • Suitable for most websites
  • Most common certificate type
OV / EV
  • Organization (OV) or Extended Validation (EV)
  • Issued in 1-5 business days
  • Costs $50 to $500/year
  • For finance, e-commerce, government sites
  • Increases user trust

Who uses this

DevOps

SSL certificate monitoring

Security

TLS config audit

SEO

HTTPS as ranking factor

E-commerce

customer trust

Common Mistakes

Expired certificateBrowsers block sites with expired SSL. Set up auto-renewal or monitoring.
Incomplete certificate chainWithout intermediate CA, some browsers and bots cannot verify the certificate.
Mixed content on HTTPS siteHTTP resources on an HTTPS page — the browser lock icon disappears, reducing trust.
Using TLS 1.0/1.1Legacy TLS versions have known vulnerabilities. Use TLS 1.2+ or 1.3.
Domain mismatch in certificateThe certificate must cover all site domains, including www and subdomains.

Best Practices

Set up auto-renewalLet's Encrypt + certbot with cron — certificate renews automatically every 60-90 days.
Enable HSTSStrict-Transport-Security header forces browsers to always use HTTPS.
Use TLS 1.3TLS 1.3 is faster (1-RTT handshake) and safer — legacy ciphers removed.
Monitor expiration datesCreate a monitor on Enterno.io — get notified well before expiration.
Verify chain after renewalAfter certificate renewal, confirm that intermediate certificates are installed.

Get more with a free account

SSL certificate monitoring, check history and alerts 30 days before expiry.

Sign up free

Learn more

Sources

Frequently Asked Questions

What is Cross-Origin Isolation?

A mode where the page is safe from Spectre-class attacks. Required for SharedArrayBuffer, performance.measureUserAgentSpecificMemory, and high-precision timers.

When do I see this error?

DevTools → Console → "Failed to load resource: net::ERR_BLOCKED_BY_RESPONSE". Network tab — resource highlighted red.

Are Spectre mitigations about security?

Yes. Without COOP/COEP the page cannot safely use SharedArrayBuffer — hence Chrome's restrictions.

How to test this easily?

<a href="/en/cors">Enterno CORS checker</a> inspects Access-Control-* headers. + DevTools → Network → Response Headers.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.