Cross-Origin-Resource-Policy
The HTTP Cross-Origin-Resource-Policy response header indicates that the server wants the client to block no-cors cross-origin and cross-site HTTP requests for the resource.
Usage
The HTTP Cross-Origin-Resource-Policy response header is sent by the server to instruct the client to block access to a specific resource. This is intended to protect resources against certain types of attacks.
There are three directives including same-origin, same-site, and cross-origin.
same-origin
Using the same-origin directive isolates the browsing context such that it is available only to documents of the same origin. No cross-origin document will be accessed within the same browsing context. For example, www.example.re is of a different origin than dev.example.re and thus, can not rely on resources when the same-origin directive is present. To do so, use the same-site directive instead.
same-site
The same-site directive isolates the browsing context such that it is available only to documents that belong to the same site. It otherwise restricts cross-origin documents.
cross-origin
When the cross-origin directive is specified, it removes any cross-origin restrictions. This is useful for situations where a client hosts resources that other people or organizations depend on.
Example
In this example, the server directs clients to disallow cross-origin no-cors HTTP requests.
Cross-Origin-Resource-Policy: same-origin
Takeaway
The Cross-Origin-Resource-Policy response header is sent by the server to instruct the client to block access to the resource. Specifically, cross-origin no-cors access shall be disallowed.