How to fix security headers COEP, COOP and CORP?

What is the best way to deal with the new security headers?

  • Cross-Origin-Embedder-Policy (COEP)
  • Cross-Origin-Opener-Policy (COOP)
  • Cross-Origin-Resource-Policy (CORP)

What I have:

more_set_headers "Content-Security-Policy: $  content_security_policy"; more_set_headers 'Cross-Origin-Embedder-Policy-Report-Only: require-corp; report-to="default"'; more_set_headers 'Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="default"'; more_set_headers 'Cross-Origin-Resource-Policy: cross-origin'; more_set_headers 'Expect-CT: max-age=86400,report-uri=""'; more_set_headers 'NEL: {"report_to":"default","max_age":2592000,"include_subdomains":true,"failure_fraction":1.0}'; more_set_headers 'Permissions-Policy: camera=(self), fullscreen=(*), geolocation=(self), payment=()'; more_set_headers 'Report-To: {"group":"default","max_age":10886400,"endpoints":[{"url":""}],"include_subdomains":true}'; more_set_headers 'X-Content-Type-Options: nosniff'; # more_set_headers 'X-Frame-Options: SAMEORIGIN';  # ImmuniWeb meckert, wenn kommentiert; PaleMoon sperrt, wenn aktiviert! more_set_headers 'X-XSS-Protection: 1; mode=block'; 
  • You can check with: curl -IL
  • I have added the fourth line – without success.

The problem is I get a shit load of these messages in

enter image description here

Should I just set COEP and COOP to unsafe-none? Or how can I minimise these messages?

I found out that I can add crossorigin to the HTML img tag. But what is with all the other access methods?