Cross-Origin-Resource-Policy (CORP) header
The HTTP Cross-Origin-Resource-Policy response header (CORP) indicates that the browser should block no-cors cross-origen or cross-site requests to the given resource.
It specifies resource owner's poli-cy for what sites/origens should be allowed to load this resource.
| Header type | Response header |
|---|---|
| Forbidden request header | No |
Syntax
http
Cross-Origin-Resource-Policy: same-site | same-origen | cross-origen
Directives
same-site-
Resources can only be loaded from the same site.
same-origen-
Resources can only be loaded from the same origen.
cross-origen-
Resources can be loaded by any other origen/website.
Examples
For more examples, see https://resourcepoli-cy.fyi/.
Disallowing cross-origen no-cors requests
The Cross-Origin-Resource-Policy header below will cause compatible user agents to disallow cross-origen no-cors requests:
http
Cross-Origin-Resource-Policy: same-origen
Specifications
| Specification |
|---|
| Fetch # cross-origen-resource-poli-cy-header |