Forge / nginx

Note

This is only needed for multisite production installs where each Craft site has its own subdomain. Single-site installs work without any server configuration.

Add the COEP header

Open your site’s nginx config in Forge:

Sites → your site → Files → Edit Nginx Configuration

Add the following inside the server {} block:

# Multisite only. Adds COEP to front-end responses so the CP's Live Preview
# iframe can embed pages from a different subdomain. COOP is intentionally
# omitted — the plugin's PHP code sets it on CP responses only.
add_header Cross-Origin-Embedder-Policy "credentialless" always;

Click Save, then Reload nginx in the Forge UI.

Third-party iframes

If your templates embed YouTube or Vimeo iframes, add the credentialless attribute to each <iframe> element:

<iframe src="https://www.youtube-nocookie.com/embed/..." credentialless></iframe>

See Server setup overview for the full explanation.

Verify

# Front-end — should show COEP, not COOP
curl -sI https://yoursite.com/ | grep -i cross-origin
# cross-origin-embedder-policy: credentialless

# CP — should show both (plugin PHP adds COOP)
curl -sI https://yoursite.com/admin | grep -i cross-origin
# cross-origin-embedder-policy: credentialless
# cross-origin-opener-policy: same-origin