ContextQMD
Back to Content

Cross-Origin-Resource-Policy (CORP) header

files/en-us/web/http/reference/headers/cross-origin-resource-policy/index.md

latest1.5 KB
Original Source

The HTTP Cross-Origin-Resource-Policy {{Glossary("response header")}} (CORP) indicates that the browser should block no-cors cross-origin or cross-site requests to the given resource.

It specifies resource owner's policy for what sites/origins should be allowed to load this resource.

<table class="properties"> <tbody> <tr> <th scope="row">Header type</th> <td>{{Glossary("Response header")}}</td> </tr> </tbody> </table>

Syntax

http
Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin

Directives

  • same-site

    • : Resources can only be loaded from the same site.

  • same-origin

    • : Resources can only be loaded from the same origin.

  • cross-origin

    • : Resources can be loaded by any other origin/website.

Examples

For more examples, see https://resourcepolicy.fyi/.

Disallowing cross-origin no-cors requests

The Cross-Origin-Resource-Policy header below will cause compatible user agents to disallow cross-origin no-cors requests:

http
Cross-Origin-Resource-Policy: same-origin

Specifications

{{Specifications}}

Browser compatibility

{{Compat}}

See also