HTTP Headers
Cross Origin Resource Policy
The HTTP Cross-Origin-Resource-Policy
response header (CORP) informs the browser that it should block no-cors
cross-origin or cross-site requests to the specified resource.
It defines the resource owner’s policy regarding which sites or origins are permitted to load this resource.
Syntax
Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin
Directives
same-site
Resources are restricted to load only from the same site, ensuring that external sites cannot access or load resources from your site, which enhances security and controls resource sharing.
same-origin
Resources can only be loaded from the same origin, meaning the same protocol, domain, and port. This helps prevent cross-site request forgery and enforces strict access controls.
cross-origin
Resources can be loaded by any other origin or website, allowing for more flexible resource sharing across different domains, commonly utilized in content delivery networks and public APIs.
Example
For more examples, see https://resourcepolicy.fyi/.
The Cross-Origin-Resource-Policy
header below will cause compatible user agents to disallow cross-origin no-cors requests:
Cross-Origin-Resource-Policy: same-origin
How to Modify Header using Requestly
Requestly is a powerful Chrome extension that allows you to modify HTTP headers, including the Cross Origin Resource Policy header. This is especially useful for testing how your web application handles resource sharing policies across different origins, helping you debug CORS-related issues. Steps to Modify the Cross Origin Resource Policy Header:
- Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
- Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
- Add a new header modification:
- Under “Action”, select “Add” or “Override”.
- In the “Header Name” field, enter Cross-Origin-Resource-Policy.
- In the “Header Value” field, enter your desired policy value (e.g., same-origin, same-site, or cross-origin).
- Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-website.com/*).
- Save the rule.
Once set up, Requestly will inject the Cross-Origin-Resource-Policy header with your chosen value into all matching requests, allowing you to test and debug how your application manages resource sharing across different origins.
Table of Contents
- No headings found.