Cross-Origin-Resource-Policy

The HTTP Cross-Origin-Resource-Policy response header (CORP) indicates that the browser should block no-cors cross-origin or cross-site requests to the given resource.

It specifies resource owner's policy for what sites/origins should be allowed to load this resource.

Header type Response header
Forbidden header name No

Syntax

http
Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin

Directives

same-site

Resources can only be loaded from the same site.

same-origin

Resources can only be loaded from the same origin.

cross-origin

Resources can be loaded by any other origin/website.

Examples

For more examples, see https://resourcepolicy.fyi/.

Disallowing cross-origin no-cors requests

The Cross-Origin-Resource-Policy header below will cause compatible user agents to disallow cross-origin no-cors requests:

http
Cross-Origin-Resource-Policy: same-origin

Specifications

Specification
Fetch
# cross-origin-resource-policy-header

Browser compatibility

Report problems with this compatibility data on GitHub
desktopmobile
Chrome
Edge
Firefox
Opera
Safari
Chrome Android
Firefox for Android
Opera Android
Safari on iOS
Samsung Internet
WebView Android
WebView on iOS
Cross-Origin-Resource-Policy

Legend

Tip: you can click/tap on a cell for more information.

Full support
Full support
See implementation notes.

See also