Skip to content
Related Articles
Open in App
Not now

Related Articles

HTTP headers | Cross-Origin-Resource-Policy

Improve Article
Save Article
Like Article
  • Last Updated : 28 Nov, 2019
Improve Article
Save Article
Like Article

The Cross-Origin-Resource-Policy is an HTTP response-type header that allows the servers to protect against certain cross-origin or cross-site embedding of the returned source. It complements the Cross-Origin Read Blocking (A mechanism which is used to prevent some cross-origin reads), so it is especially valuable for resources that are not covered by CORB. This also serves as an additional layer to the Same-Origin Policy. This helps in mitigating speculative side-channel attacks as well as Cross-Site Script Inclusion attacks.
The Cross Origin Resource Policy is the only way to protect the images from Spectre attacks or compromised renderers.

However, because of a chrome bug, this response header can sometimes break file downloads and prevent the users from using Save as and Save image as on the resources.

Syntax:

Cross-Origin-Resource-Policy: same-site | same-origin | cross-site

Directives: This header accepts three directives as mentioned above and describes below:

  • same-site: This directive allowed users to read the resources only when the browser recognizes their requests from the same site (registrable domain).
  • same-origin: This directive allowed users to read the resources only when the browser recognizes their requests from the same origin ([scheme, host, port]).
  • cross-site: This directive allowed users requests from different sites can also read the resources.

Note: If a header is set during the Cross-origin resource check, then the browser will automatically deny all the no-cors requests issued by different origin or site.

Below examples illustrate the HTTP Cross-Origin-Resource-Policy:

Examples:

  • In the example below, only the requests that the browser recognizes as from the same site are allowed to read the resources.
    Cross-Origin-Resource-Policy: same-site
  • In the below example, only the requests that the browser recognizes as from the same origin are allowed to read the resources.
    Cross-Origin-Resource-Policy: same-origin

Supported Browsers: The browsers are compatible with the HTTP Cross-Origin-Resources-Policy are listed below:

  • Google Chrome
  • Firefox
  • Safari
My Personal Notes arrow_drop_up
Like Article
Save Article
Related Articles
1. HTTP headers | Access-Control-Expose-Headers
2. HTTP headers | Access-Control-Allow-Headers.
3. HTTP headers | Access-Control-Request-Headers
4. HTTP headers | Location
5. HTTP headers | User-Agent
6. HTTP headers | Link
7. HTTP headers | Save-Data
8. HTTP headers | Content-Type
9. HTTP headers | X-Forwarded-Proto
10. HTTP headers | X-XSS-Protection
Previous
PHP | Imagick inverseFourierTransformImage() Function
Next
How to get all property values of a JavaScript Object (without knowing the keys) ?
Article Contributed By :
https://media.geeksforgeeks.org/auth/avatar.png
sowmyarajucherukuri
@sowmyarajucherukuri
Vote for difficulty
Article Tags :
Report Issue
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox

Start Your Coding Journey Now!