Open In App

HTTP headers | Cross-Origin-Resource-Policy

Improve
Improve
Like Article
Like
Save
Share
Report

The Cross-Origin-Resource-Policy is an HTTP response-type header that allows the servers to protect against certain cross-origin or cross-site embedding of the returned source. It complements the Cross-Origin Read Blocking (A mechanism which is used to prevent some cross-origin reads), so it is especially valuable for resources that are not covered by CORB. This also serves as an additional layer to the Same-Origin Policy. This helps in mitigating speculative side-channel attacks as well as Cross-Site Script Inclusion attacks.
The Cross Origin Resource Policy is the only way to protect the images from Spectre attacks or compromised renderers.

However, because of a chrome bug, this response header can sometimes break file downloads and prevent the users from using Save as and Save image as on the resources.

Syntax:

Cross-Origin-Resource-Policy: same-site | same-origin | cross-site

Directives: This header accepts three directives as mentioned above and describes below:

  • same-site: This directive allowed users to read the resources only when the browser recognizes their requests from the same site (registrable domain).
  • same-origin: This directive allowed users to read the resources only when the browser recognizes their requests from the same origin ([scheme, host, port]).
  • cross-site: This directive allowed users requests from different sites can also read the resources.

Note: If a header is set during the Cross-origin resource check, then the browser will automatically deny all the no-cors requests issued by different origin or site.

Below examples illustrate the HTTP Cross-Origin-Resource-Policy:

Examples:

  • In the example below, only the requests that the browser recognizes as from the same site are allowed to read the resources.
    Cross-Origin-Resource-Policy: same-site
  • In the below example, only the requests that the browser recognizes as from the same origin are allowed to read the resources.
    Cross-Origin-Resource-Policy: same-origin

Supported Browsers: The browsers are compatible with the HTTP Cross-Origin-Resources-Policy are listed below:

  • Google Chrome
  • Firefox
  • Safari

Last Updated : 28 Nov, 2019
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads