Cross-Origin Resource Policy (CORP) implementation

Cross-Origin Resource Policy (CORP) is set by the Cross-Origin-Resource-Policy response header, which lets websites and applications opt-in to protection against vulnerabilities related to certain cross-origin requests (such as those made by the <script> and <img> elements).


Some side-channel hardware vulnerabilities (also known as Cross-site leaks, or XS-Leaks), such as Meltdown and Spectre, exploit a race condition arising as part of speculative execution functionality of modern processors. This functionality is designed to improve performance but can be manipulated to disclose sensitive data.


Use Cross-Origin-Resource-Policy to block no-cors cross-origin requests to given resources. As this policy is expressed via a response header, the actual request is not prevented. Instead, the browser prevents the result from being leaked by stripping out the response body.

The possible values are:


Limits resource access to requests coming from the same origin. This is recommended for URLs that reply with sensitive user information or private APIs.


Limits resource access to requests coming from the same site. This is recommended for responses from origins whose functionality is shared across several other same-site origins. Examples include a company CDN that serves static resources, and a single sign-on (SSO) app that handles authentication.


Allows resources to be accessed by cross-origin requests. This is recommended only for responses from widely-used origins, such as public CDNs or widgets. This is the default value if Cross-Origin-Resource-Policy is not set.

Set the most restrictive value possible for your site.

If, in turn, your site requires access to cross-origin resources, opt into a better default by sending a Cross-Origin-Embedder-Policy header along with the associated requests. This will prevent loading of cross-origin resources that don't also explicitly send a Cross-Origin-Resource-Policy: cross-origin header.


Instruct browsers to disallow cross-origin requests made in no-cors mode:

Cross-Origin-Resource-Policy: same-origin

Instruct browsers to allow cross-origin resource access, including access to features with unthrottled timers (such as SharedArrayBuffer objects or

Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp

This also permits such resources to be embedded.

See also