Cross-Origin Resource Policy (CORP)

Cross-Origin Resource Policy is an HTTP header that lets web sites and applications opt in to protection against certain cross-origin requests (such as those issued with elements like <script> and <img>), to mitigate speculative side-channel attacks as well as Cross-Site Script Inclusion attacks.

CORP is an additional layer of protection beyond the default same-origin policy. Cross-Origin Resource Policy complements Cross-Origin Read Blocking (CORB), which is a mechanism to prevent some cross-origin reads by default.

The policy is only effective for no-cors requests, which are issued by default for CORS-safelisted methods/headers.

As this policy is expressed via a response header, the actual request is not prevented—rather, the browser prevents the result from being leaked by stripping the response body.

History

The concept was originally proposed in 2012 (as From-Origin), but resurrected in Q2 of 2018 and implemented in Safari and Chromium.

In early 2018, two side-channel hardware vulnerabilities known as Meltdown and Spectre were disclosed. These vulnerabilities allowed sensitive data disclosure due to a race condition which arose as part of speculative execution functionality, designed to improve performance.

In response, Chromium shipped Cross-Origin Read Blocking, which automatically protects certain resources (of Content-Type HTML, JSON and XML) against cross-origin reads. If the application does not serve a no-sniff directive, Chromium will attempt to guess the Content-Type and apply the protection anyway.

Cross-Origin Resource Policy is an opt-in response header which can protect any resource; there is no need for browsers to sniff MIME types.

Usage

Web applications set a Cross-Origin Resource Policy via the Cross-Origin-Resource-Policy HTTP response header, which accepts one of three values:

same-site

Only requests from the same Site can read the resource.

Warning: The concept of a "site" is defined in the URL standard and involves checking the registrable domain. This is less secure than an origin.

same-origin
Only requests from the same origin (i.e. scheme + host + port) can read the resource.
cross-origin
Requests from any origin (both same-site and cross-site) can read the resource.
Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin

During a cross-origin resource policy check, if the header is set, the browser will deny no-cors requests issued from a different origin/site.

Browser compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
Cross-Origin-Resource-PolicyChrome Full support 73
Notes
Full support 73
Notes
Notes Until version 75, downloads for files with this header would fail in Chrome. See bug 952834.
Edge Full support 79Firefox Full support 74
Full support 74
Full support 69
Disabled
Disabled From version 69: this feature is behind the browser.tabs.remote.useCORP preference (needs to be set to true). To change preferences in Firefox, visit about:config.
IE No support NoOpera No support NoSafari Full support 12WebView Android Full support 73
Notes
Full support 73
Notes
Notes Until version 75, downloads for files with this header would fail in WebView. See bug 952834.
Chrome Android Full support 73
Notes
Full support 73
Notes
Notes Until version 75, downloads for files with this header would fail in Chrome. See bug 952834.
Firefox Android No support NoOpera Android No support NoSafari iOS Full support 12Samsung Internet Android No support No

Legend

Full support  
Full support
No support  
No support
See implementation notes.
See implementation notes.
User must explicitly enable this feature.
User must explicitly enable this feature.

Specifications

Specification Status Comment
Fetch Living Standard Initial definition

See also