Product
HTTP Interceptor

A Power HTTP Interceptor to Intercept, Record, Debug & Modify HTTP Requests

API Client

A lightweight and secure API Client for faster API Development & Testing

API Mocking

Build frontend faster without waiting for backend.

Solutions
Frontend Web/Mobile Developers

Requestly improves front-end workflows with local JS testing, mocking, and SessionBook debugging.

For QA engineers

QA engineers love Requestly for its features and ease of use, allowing easy edge case testing.

Support Engineer

Support engineers value Requestly for debugging, demoing, and overriding GTM and Adobe scripts.

Backend Developers

Requestly helps in improving back-end development workflows, by enabling testing.

Pricing
Resources
Pricing
Blog
Case Studies
Status
Github
Release Note
Student Programme
🎉 Requestly joins BrowserStack to build the future of application testing. Read more

HTTP Headers

Cross Origin Resource Policy

HTTP Header

The HTTP Cross-Origin-Resource-Policy response header (CORP) informs the browser that it should block no-cors cross-origin or cross-site requests to the specified resource.
It defines the resource owner’s policy regarding which sites or origins are permitted to load this resource.

Syntax

Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin

Directives

same-site

Resources are restricted to load only from the same site, ensuring that external sites cannot access or load resources from your site, which enhances security and controls resource sharing.

same-origin

Resources can only be loaded from the same origin, meaning the same protocol, domain, and port. This helps prevent cross-site request forgery and enforces strict access controls.

cross-origin

Resources can be loaded by any other origin or website, allowing for more flexible resource sharing across different domains, commonly utilized in content delivery networks and public APIs.

Example

For more examples, see https://resourcepolicy.fyi/.

The Cross-Origin-Resource-Policy header below will cause compatible user agents to disallow cross-origin no-cors requests:

http
Cross-Origin-Resource-Policy: same-origin

How to Modify Header using Requestly

Requestly is a powerful Chrome extension that allows you to modify HTTP headers, including the Cross Origin Resource Policy header. This is especially useful for testing how your web application handles resource sharing policies across different origins, helping you debug CORS-related issues. Steps to Modify the Cross Origin Resource Policy Header:

  1. Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
  2. Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
  3. Add a new header modification:
    • Under “Action”, select “Add” or “Override”.
    • In the “Header Name” field, enter Cross-Origin-Resource-Policy.
    • In the “Header Value” field, enter your desired policy value (e.g., same-origin, same-site, or cross-origin).
  4. Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-website.com/*).
  5. Save the rule.

Once set up, Requestly will inject the Cross-Origin-Resource-Policy header with your chosen value into all matching requests, allowing you to test and debug how your application manages resource sharing across different origins.