Note: Due to a bug in Chrome, setting Cross-Origin-Resource-Policy can break PDF rendering, preventing visitors from being able to read past the first page of some PDFs. Due to a bug in Firefox, setting Cross-Origin-Resource-Policy can prevent some resources (such as PDFs) from being downloaded in some circumstances. Exercise caution using this header in a production environment.
Cross-Origin-Resource-Policy response header
conveys a desire that the browser blocks no-cors cross-origin/cross-site requests to the
|Header type||Response header|
|Forbidden header name||no|
Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin
The response header below will cause compatible user agents to disallow cross-origin no-cors requests:
For more examples, see https://resourcepolicy.fyi/.
|Fetch||Living Standard||Initial definition|
BCD tables only load in the browser