← Back to Rubens Design

Case Study: Cloudflare COEP Header Breaking Magento WYSIWYG Editor

Client: Bigwicks Ltd · Platform: Magento 2.4.6-p10 · Area: Admin / Product Management

Summary

Following a sudden inability to save product descriptions in Magento’s admin, all attempts to isolate the issue pointed to no apparent PHP or MySQL errors. The site compiled, deployed, and cached correctly — yet saving text within the WYSIWYG editor silently failed.

Diagnosis

Through console inspection, multiple CORS and COEP violations were detected referencing Cloudflare endpoints (/cdn-cgi/speculation and /cdn-cgi/rum). These are part of Cloudflare’s new Speculation Rules and Cross-Origin Embedder Policy rollouts — which isolated the admin domain and blocked TinyMCE from loading required JS resources.

Solution

The issue was resolved without disabling Cloudflare entirely by filtering the problematic injected headers and endpoints using Apache rules. Once added, Magento’s WYSIWYG and product saving functions immediately resumed normal operation.

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/cdn-cgi/speculation [NC,OR]
    RewriteCond %{REQUEST_URI} ^/cdn-cgi/rum [NC]
    RewriteRule .* - [F,L]
</IfModule>

<IfModule mod_headers.c>
    Header always unset Cross-Origin-Embedder-Policy
    Header always unset Cross-Origin-Opener-Policy
    Header always unset Cross-Origin-Resource-Policy
    Header always unset Speculation-Rules
</IfModule>

Result

• Magento admin text saving restored immediately
• Checkout & payment modules verified post-fix
• Confirmed root cause: Cloudflare COEP policy header
• Fix documented for other Cloudflare + Magento sites

Takeaway

This incident demonstrates that not all “Magento bugs” are Magento’s fault — sometimes, upstream CDN changes can cause silent breakage at the browser level. The solution required understanding both Magento’s security model and modern web isolation policies — exactly the kind of deep-dive support Rubens Design offers when your site breaks without explanation.

Was this fix useful?

← Back to Rubens Design

---

Related Reading

Want to understand why this issue happened in the first place? Read the full technical breakdown of Cloudflare’s Speculation Rules and COEP/CORP headers:

→ When CDNs Break Your Admin: Understanding COEP, CORP, and Cloudflare’s Speculation Rules