The Cross-Origin-Resource-Policy is an HTTP response-type header that allows the servers to protect against certain cross-origin or cross-site embedding of the returned source. It complements the Cross-Origin Read Blocking (A mechanism which is used to prevent some cross-origin reads), so it is especially valuable for resources that are not covered by CORB. This also serves as an additional layer to the Same-Origin Policy. This helps in mitigating speculative side-channel attacks as well as Cross-Site Script Inclusion attacks.
The Cross Origin Resource Policy is the only way to protect the images from Spectre attacks or compromised renderers.
However, because of a chrome bug, this response header can sometimes break file downloads and prevent the users from using Save as and Save image as on the resources.
Cross-Origin-Resource-Policy: same-site | same-origin | cross-site
Directives: This header accepts three directives as mentioned above and describes below:
- same-site: This directive allowed users to read the resources only when the browser recognizes their requests from the same site (registrable domain).
- same-origin: This directive allowed users to read the resources only when the browser recognizes their requests from the same origin ([scheme, host, port]).
- cross-site: This directive allowed users requests from different sites can also read the resources.
Note: If a header is set during the Cross-origin resource check, then the browser will automatically deny all the no-cors requests issued by different origin or site.
Below examples illustrate the HTTP Cross-Origin-Resource-Policy:
- In the example below, only the requests that the browser recognizes as from the same site are allowed to read the resources.
- In the below example, only the requests that the browser recognizes as from the same origin are allowed to read the resources.
Supported Browsers: The browsers are compatible with the HTTP Cross-Origin-Resources-Policy are listed below:
- Google Chrome