Cross-Origin-Resource-Policy

The HTTP Cross-Origin-Resource-Policy response header indicates that the browser should block no-cors cross-origin or cross-site requests to the given resource.

Header type Response header
Forbidden header name No

Syntax

http
Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin

Examples

Disallowing cross-origin no-cors requests

The Cross-Origin-Resource-Policy header below will cause compatible user agents to disallow cross-origin no-cors requests:

http
Cross-Origin-Resource-Policy: same-origin

For more examples, see https://resourcepolicy.fyi/.

Specifications

Specification
Fetch Standard
# cross-origin-resource-policy-header

Browser compatibility

BCD tables only load in the browser

See also