ERR_BLOCKED_BY_RESPONSE

What causes this error

The server returned a Cross-Origin-Resource-Policy header that prevents cross-origin access, or the response includes headers that block embedding. This is a server-enforced security policy, not a browser bug.

Cross-Origin-Resource-Policy (CORP)

CORP tells browsers which origins can load a resource:

Cross-Origin-Resource-Policy: same-origin # Only same origin (default for some browsers)
Cross-Origin-Resource-Policy: same-site # Same site (including subdomains)
Cross-Origin-Resource-Policy: cross-origin  # Any origin (equivalent to no restriction)

If your font, image, or asset server returns same-origin or same-site, cross-origin pages can't load it.

Fix 1 — Add CORP: cross-origin to your asset server

If your assets need to be accessible from other origins (CDN, fonts, media):

# Nginx — on your CDN or asset server
add_header Cross-Origin-Resource-Policy "cross-origin" always;

Fix 2 — When embedding in an iframe

If the error happens when embedding in an iframe, the parent page may have Cross-Origin-Embedder-Policy: require-corp set. This requires every embedded resource to explicitly opt in with CORP: cross-origin.

# If you're the page doing the embedding and need SharedArrayBuffer
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

# Resources you embed must then have
Cross-Origin-Resource-Policy: cross-origin

Fix 3 — X-Frame-Options blocking iframes

If the blocked resource is an iframe, X-Frame-Options on the embedded page may be denying it:

# On the page being embedded — allow specific parent origin
Content-Security-Policy: frame-ancestors https://your-parent-site.com;