ERR_BLOCKED_BY_RESPONSE

Last updated: April 2026

ERR_BLOCKED_BY_RESPONSE means a security header on the server is blocking the browser from loading or embedding the resource. It is not a CORS error. Check the browser Network tab to see which header caused the block.

Cause 1 — Cross-Origin-Opener-Policy (COOP)

COOP isolates your browsing context. When set to same-origin, cross-origin popups and windows cannot communicate with your page. This blocks OAuth popup flows and payment windows that rely on window.opener.

# Current header causing the block
Cross-Origin-Opener-Policy: same-origin

# Fix — allow same-origin-allow-popups for OAuth flows
Cross-Origin-Opener-Policy: same-origin-allow-popups

# Or remove COOP if not using SharedArrayBuffer
# (remove the header entirely)

Cause 2 — Cross-Origin-Embedder-Policy (COEP)

COEP requires all subresources to opt in to cross-origin loading. If any resource (image, script, iframe) does not send Cross-Origin-Resource-Policy, it gets blocked.

# Current header causing the block
Cross-Origin-Embedder-Policy: require-corp

# Fix — either remove COEP
# or add Cross-Origin-Resource-Policy to the blocked resource:
Cross-Origin-Resource-Policy: cross-origin

Cause 3 — X-Frame-Options blocking iframe

If you are trying to embed a page in an iframe and seeing ERR_BLOCKED_BY_RESPONSE, the target page has X-Frame-Options: DENY or SAMEORIGIN.

# Target page has this header
X-Frame-Options: DENY

# Fix on the target server — allow specific origins to embed it
# Replace X-Frame-Options with CSP frame-ancestors:
Content-Security-Policy: frame-ancestors 'self' https://yourapp.com

How to diagnose

# 1. Open DevTools → Network tab
# 2. Find the blocked request
# 3. Click it → Headers tab → look at Response Headers
# 4. The blocking header will be visible

# Also check the Console tab for a more specific error message