Cross-Origin-Resource-Policy
The HTTP Cross-Origin-Resource-Policy response header signals the browser to block no-cors cross-origin or cross-site requests for the protected resource.
Usage
Cross-Origin-Resource-Policy (CORP) is a security header defined in the Fetch specification. When a server attaches this header to a response, the browser enforces an isolation boundary on the resource. Any no-cors request from a disallowed origin or site is blocked before the response body reaches the requesting document.
CORP defends static assets (images, scripts, stylesheets)
against speculative side-channel attacks like Spectre, where
a malicious page embeds a cross-origin resource and attempts
to read its contents through timing analysis. The header
works alongside
Cross-Origin-Embedder-Policy
(COEP). A page setting require-corp in COEP requires every
loaded subresource to carry a compatible
Cross-Origin-Resource-Policy header or to be served with
CORS headers.
Values
same-origin
The same-origin value restricts the resource to requests
from the same origin. Two URLs share an origin
only when the scheme, host, and port all match. A resource on
https://www.example.re is blocked from loading by
https://api.example.re under this policy because the hosts
differ.
same-site
The same-site value allows requests from any origin within
the same registrable domain. Under this policy,
https://www.example.re and https://api.example.re
are permitted to share resources because both belong to the
same site. Requests from a different registrable domain are
blocked.
cross-origin
The cross-origin value removes CORP restrictions entirely.
The resource is available to any requesting origin. This is
the appropriate value for public CDN assets, shared fonts,
and other resources intended for broad consumption.
Example
Locking a resource to same-origin requests only, preventing any cross-origin embedding:
Cross-Origin-Resource-Policy: same-origin
Allowing same-site subdomains to load the resource while still blocking requests from external sites:
Cross-Origin-Resource-Policy: same-site
Explicitly permitting all origins to load the resource, often used for public CDN-hosted assets:
Cross-Origin-Resource-Policy: cross-origin
Takeaway
The Cross-Origin-Resource-Policy header controls which origins are allowed to load a resource in a no-cors context, providing a defense layer against cross-origin data leaks and speculative execution attacks.
See also
- Fetch Standard: Cross-Origin-Resource-Policy
- Cross-Origin-Embedder-Policy
- Cross-Origin-Opener-Policy
- CORS
- HTTP headers