Cross-Origin Resource Policy (CORP)

Note: Due to a bug in Chrome, setting Cross-Origin-Resource-Policy can break file downloads, preventing visitors using Save as or Save image as on resources with the CORP header. Exercise caution when deciding to use this feature in a production environment.

Cross-Origin Resource Policy is an opt-in mechanism that allows web applications to protect against certain cross-origin requests, such as those issued by the browser when resources are embedded using elements such as <script> and <img>. This serves as an additional layer of protection above and beyond the same-origin policy which can mitigate speculative side channel attacks as well as Cross-Site Script Inclusion attacks. Cross-Origin Resource Policy complements Cross-Origin Read Blocking (CORB), which is a mechanism to prevent some cross-origin reads by default.

The policy is only effective for no-cors requests, which are issued by default for CORS-safelisted methods/headers.

As this policy is expressed via a response header, the actual request is not prevented—rather, the browser prevents the result from being leaked by stripping the response body.

History

In early 2018, two side-channel hardware vulnerabilities known as Meltdown and Spectre were disclosed. These vulnerabilities allowed sensitive data disclosure due to a race condition which arose as part of speculative execution functionality, designed to improve performance.

Against this backdrop, Chromium shipped a feature known as Cross-Origin Read Blocking. This mechanism automatically protects a limited set of cross-origin resources (of Content-Type HTML, JSON and XML) against cross-origin reads. If the application does not serve a no-sniff directive, Chromium will attempt to guess the Content-Type using a set of heuristics and apply the protection anyway.

Cross-Origin Resource Policy, in contrast, is an opt-in response header mechanism available to web developers which can protect any resource. There is no need for the browser to perform MIME type sniffing. The concept was originally proposed in 2012 (as From-Origin) but resurrected in Q2 of 2018 and implemented in Safari and Chromium.

Usage

Web applications set a Cross-Origin Resource Policy via the Cross-Origin-Resource-Policy HTTP response header.

Note: The concept of a "site" is defined in the URL standard and involves checking the registrable domain. This is a weaker concept than an origin and provides less protection.

The header accepts one of two values:

same-site
Only requests that the browser recognises as from the same Site (i.e. registrable domain) will be allowed to read the resource.
same-origin
Only requests that the browser recognises as from the same origin (i.e. [scheme, host, port] combination) will be allowed to read the resource.
Cross-Origin-Resource-Policy: same-site | same-origin

During a cross-origin resource policy check, if the header is set, the browser will deny no-cors requests issued from a different origin/site.

Browser compatibility

Note: Due to a bug in Chrome, setting Cross-Origin-Resource-Policy can break file downloads, preventing visitors using Save as or Save image as on resources with the CORP header. Exercise caution when deciding to use this feature in a production environment.

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidEdge MobileFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
Cross-Origin-Resource-PolicyChrome Full support 73Edge No support NoFirefox No support NoIE No support NoOpera No support NoSafari Full support 12WebView Android Full support 73Chrome Android Full support 73Edge Mobile No support NoFirefox Android No support NoOpera Android No support NoSafari iOS Full support 12Samsung Internet Android No support No

Legend

Full support  
Full support
No support  
No support

Specifications

Specification Status Comment
Fetch Living Standard Initial definition

See also

Document Tags and Contributors

Contributors to this page: lol768, Malvoz
Last updated by: lol768,