ERR_BLOCKED_BY_RESPONSE — What It Means & How to Fix It

What Does This Error Mean?

ERR_BLOCKED_BY_RESPONSE means the server responded to your request, but the response contained security headers that told your browser to block the content. Unlike ERR_BLOCKED_BY_CLIENT (where your browser extension blocks a request), this block comes from the server's instructions. The website's own security rules said 'do not display this content' and your browser complied.

Affected Models

Google Chrome
Microsoft Edge
Firefox
Safari
All modern browsers
Windows
macOS

Common Causes

The server has a Cross-Origin-Opener-Policy (COOP) or Cross-Origin-Embedder-Policy (COEP) header that restricts how content can be loaded
The server's Content-Security-Policy (CSP) header is blocking specific resources or scripts
The website has X-Frame-Options set to DENY, preventing the page from loading inside an iframe
A resource (image, script, font) is being loaded from a cross-origin domain that the server has not permitted
The server's CORS (Cross-Origin Resource Sharing) policy does not allow your browser's origin to access the resource

How to Fix It

Open Chrome Developer Tools (press F12), go to the Console tab, and reload the page. Look for messages about blocked content — Chrome usually explains exactly which header caused the block.

The console message will name the specific header (like 'Content-Security-Policy') and the blocked URL.
If you are a regular user visiting a site, try refreshing the page. Occasionally, server caching glitches cause incorrect headers to be sent temporarily.

A hard refresh (Ctrl+F5) ensures you get fresh headers from the server.
Try clearing your browser cache and cookies. Press Ctrl+Shift+Delete, select All time, and clear all data. Then reload the page.

Cached responses with incorrect headers can cause persistent ERR_BLOCKED_BY_RESPONSE issues.
Try the site in a different browser or in Incognito mode. This helps determine if the issue is consistent across all clients or specific to your Chrome setup.

If it works in another browser, the issue may be Chrome-specific or extension-related.
If you manage the website and are seeing this for an embedded resource, review your CORS and CSP headers. The resource's server must include the correct Allow-Origin headers for cross-domain content.

Adding the correct CORS headers in your server configuration is the proper fix for a developer-side issue.

When to Call a Professional

If you are a web developer and your own site is showing this error, review your server's HTTP security headers. Check the Content-Security-Policy, COEP, and COOP headers in your server configuration. Browsers are increasingly strict about enforcing these headers — even a small misconfiguration can block legitimate content.

Frequently Asked Questions

What is a Content-Security-Policy?

A Content-Security-Policy (CSP) is a security header that a website includes in its server responses. It tells your browser which sources of content (scripts, images, fonts) are allowed to load on that page. For example, a CSP might say 'only load scripts from our own domain'. If the page tries to load a script from somewhere else, the browser blocks it and you may see ERR_BLOCKED_BY_RESPONSE.

Can a regular visitor fix ERR_BLOCKED_BY_RESPONSE?

Usually no. This error is caused by the server's own security configuration. As a visitor, you cannot change those server-side headers. You can try refreshing, clearing cache, or using a different browser — but if the server is sending restrictive headers, only the website owner can fix the underlying problem.

Is this error a sign that the site is broken?

Sometimes yes. If a major feature of the site is blocked — like the main script or login form — then the site has a configuration error that is breaking its own functionality. This happens after server updates or when developers misconfigure security headers. Contact the site's support team if a critical part of the site is not working.