HTTPREF
← Back to headers

HTTP Header

Cross-Origin-Resource-Policy

Security

Tells browsers which origins are allowed to load a given resource.

HTTP header reference, syntax, examples, and developer usage.

What is the Cross-Origin-Resource-Policy header?

The Cross-Origin-Resource-Policy HTTP header is used to transmit metadata between a client and server as part of HTTP requests or responses.

HTTP headers define how content should be interpreted, cached, authenticated, secured, or processed by browsers and APIs.

Direction

This header may appear in both HTTP requests and responses.

Syntax

Cross-Origin-Resource-Policy: same-origin | same-site | cross-origin

Example

Cross-Origin-Resource-Policy: same-origin

Common use cases

  • Protecting images, scripts, fonts, or other assets from unwanted cross-origin access
  • Restricting which sites can embed or request a resource
  • Supporting stricter cross-origin isolation setups

Common mistakes

  • Using the header in the wrong request or response context
  • Sending invalid header values
  • Incorrect header syntax
  • Assuming the header automatically changes server behaviour

Practical developer insight

CORP is resource-focused, unlike COOP and COEP which apply at the document level. It is especially useful for assets such as images, fonts, and scripts when you want fine-grained cross-origin loading protection.

Related headers

cross-origin-embedder-policycross-origin-opener-policyaccess-control-allow-origin