Cross-Origin-Resource-Policy

The HTTP Cross-Origin-Resource-Policy response header indicates that the server wants the client to block no-cors cross-origin and cross-site HTTP requests for the resource.

Usage

The HTTP Cross-Origin-Resource-Policy response header is sent by the server to instruct the client to block access to a specific resource. This is intended to protect resources against certain types of attacks.

There are three directives including same-origin, same-site, and cross-origin.

same-origin

Using the same-origin directive isolates the browsing context such that it is available only to documents of the same origin. No cross-origin document will be accessed within the same browsing context. For example, www.example.re is of a different origin than dev.example.re and thus, can not rely on resources when the same-origin directive is present. To do so, use the same-site directive instead.

same-site

The same-site directive isolates the browsing context such that it is available only to documents that belong to the same site. It otherwise restricts cross-origin documents.

cross-origin

When the cross-origin directive is specified, it removes any cross-origin restrictions. This is useful for situations where a client hosts resources that other people or organizations depend on.

Example

In this example, the server directs clients to disallow cross-origin no-cors HTTP requests.

Cross-Origin-Resource-Policy: same-origin

Takeaway

The Cross-Origin-Resource-Policy response header is sent by the server to instruct the client to block access to the resource. Specifically, cross-origin no-cors access shall be disallowed.

See also

Last updated: August 2, 2023