Cross-Origin-Resource-Policy (CORP) header

The HTTP Cross-Origin-Resource-Policy response header (CORP) indicates that the browser should block no-cors cross-origin or cross-site requests to the given resource.

It specifies resource owner's policy for what sites/origins should be allowed to load this resource.

Header type	Response header
Forbidden request header	No

Syntax

http

Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin

Directives

same-site: Resources can only be loaded from the same site.
same-origin: Resources can only be loaded from the same origin.
cross-origin: Resources can be loaded by any other origin/website.

Examples

For more examples, see https://resourcepolicy.fyi/.

Disallowing cross-origin no-cors requests

The Cross-Origin-Resource-Policy header below will cause compatible user agents to disallow cross-origin no-cors requests:

http

Cross-Origin-Resource-Policy: same-origin

Specifications

Specification
Fetch # cross-origin-resource-policy-header

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on ⁨Jul 4, 2025⁩ by MDN contributors.

View this page on GitHub • Report a problem with this content