Cross-Origin Resource Policy (CORP)

Cross-Origin Resource Policy is a policy set by theCross-Origin-Resource-Policy HTTP header that lets websites and applications opt in to protection against certain requests from other origins (such as those issued with elements like<script> and<img>), to mitigate speculative side-channel attacks, likeSpectre, as well as Cross-Site Script Inclusion attacks.CORP is an additional layer of protection beyond the defaultsame-origin policy.

Note:The policy is only effective forno-cors requests, which are issued by default for CORS-safelisted methods/headers.

As this policy is expressed via aresponse header, the actual request is not prevented—rather, the browser prevents theresult from being leaked by stripping the response body.

Usage

Note:Due to abug in Chrome, setting Cross-Origin-Resource-Policy can break PDF rendering, preventing visitors from being able to read past the first page of some PDFs. Exercise caution using this header in a production environment.

Web applications set a Cross-Origin Resource Policy via theCross-Origin-Resource-Policy HTTP response header, which accepts one of three values:

same-site: Only requests from the sameSite can read the resource.
Warning:This is less secure than anorigin. Thealgorithm for checking if two origins are same site is defined in the HTML standard and involves checking theregistrable domain.
same-origin: Only requests from the sameorigin (i.e., scheme + host + port) can read the resource.
cross-origin: Requests from anyorigin (both same-site and cross-site) can read the resource. This is useful when COEP is used (see below).

http

Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin

During a cross-origin resource policy check, if the header is set, the browser will denyno-cors requests issued from a different origin/site.

Relationship to cross-origin embedder policy (COEP)

TheCross-Origin-Embedder-Policy HTTP response header, when used upon a document, can be used to require subresources to either be same-origin with the document, or come with aCross-Origin-Resource-Policy HTTP response header to indicate they are okay with being embedded. This is why thecross-origin value exists.

History

The concept was originally proposed in 2012 (as aFrom-Origin header), butresurrected in Q2 of 2018 and implemented in Safari and Chromium.

In early 2018, two side-channel hardware vulnerabilities known asMeltdown andSpectre were disclosed. These vulnerabilities allowed sensitive data disclosure due to a race condition which arose as part of speculative execution functionality, designed to improve performance.

Cross-Origin Resource Policy was developed as a direct way for sites to block unwantedno-cors cross-origin requests. This is an effective defense against Spectre-like attacks, as the browser strips the body from given responses before an attacker can access them.