← Back to Rubens Design

When CDNs Break Your Admin: Understanding COEP, CORP, and Cloudflare’s Speculation Rules

Author: David Hickling · Published: 8 Oct 2025

It started with a simple Save button…

A Magento 2 site suddenly couldn’t save product descriptions. No PHP errors. No MySQL faults. Everything compiled fine — yet every attempt to save text inside the admin WYSIWYG failed silently.

The fix, it turned out, wasn’t inside Magento at all. It was Cloudflare.

Cloudflare’s “helpful” new features

In mid-2025, Cloudflare began rolling out two web-platform security optimisations by default:

• Speculation Rules — a system that prefetches pages and isolates browsing contexts for speed.
• COEP / CORP headers — “Cross-Origin Embedder Policy” and “Cross-Origin Resource Policy”, which tighten how browsers load scripts, iframes, and workers.

These are excellent ideas for front-end sites — but they can cause chaos in dynamic admin panels like Magento’s, which rely on TinyMCE and RequireJS to pull in scripts asynchronously.

How it broke Magento

When Cloudflare injected its headers and /cdn-cgi/speculation endpoints, the browser isolated Magento’s admin from itself. That triggered console errors like:

Access to speculationrule at 'https://example.com/cdn-cgi/speculation' 
has been blocked by CORS policy: 
The 'Access-Control-Allow-Origin' header has a value 'https://example.com' 
that is not equal to the supplied origin.

TinyMCE and RequireJS failed to initialise, making the description editor appear frozen. Magento was innocent — the CDN simply changed the browser’s sandbox rules.

The working fix

Instead of disabling Cloudflare entirely, you can strip the offending headers and block its injected endpoints:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/cdn-cgi/speculation [NC,OR]
    RewriteCond %{REQUEST_URI} ^/cdn-cgi/rum [NC]
    RewriteRule .* - [F,L]
</IfModule>

<IfModule mod_headers.c>
    Header always unset Cross-Origin-Embedder-Policy
    Header always unset Cross-Origin-Opener-Policy
    Header always unset Cross-Origin-Resource-Policy
    Header always unset Speculation-Rules
</IfModule>

This immediately restores normal behaviour for Magento’s WYSIWYG and Page Builder without sacrificing Cloudflare’s caching, WAF, or performance benefits.

👉 Full fix and implementation guide: Magento 2 WYSIWYG Save Fix — Cloudflare Speculation Rules

What this means for other platforms

This same issue can hit any admin interface that loads JavaScript dynamically — including WordPress Gutenberg, Shopify private apps, or headless CMS dashboards. COEP and Speculation Rules isolate browsing contexts for speed and safety, but break legitimate intra-site communication in complex admin environments.

How to prevent this in future

• Keep CDN features under manual control — review “beta” rollouts before enabling.
• Exclude your admin path from CDN caching, speculation, or header injection.
• Use browser console and network tabs as your first diagnostic tools when “nothing happens.”

---

See the Working Fix

Looking for the exact .htaccess solution that restores Magento’s WYSIWYG editor and description saving?

→ Magento 2 WYSIWYG Save Fix — Cloudflare Speculation Rules

Takeaway

Modern CDNs are blurring the line between performance and browser security policy. Knowing what Cloudflare injects is now part of maintaining a healthy Magento stack. If your checkout or admin suddenly fails without logs, check the headers first.

— Written by David Hickling, Magento developer at Rubens Design.