HTTP security header
Cross-Origin-Resource-Policy
Cross-Origin-Resource-Policy (CORP) lets a resource declare that only same-origin or same-site documents may load it, helping defend against cross-origin information leaks such as Spectre-style side channels and unauthorized embedding.
Example
Cross-Origin-Resource-Policy: same-originConfiguration guidance
- Use same-origin or same-site for sensitive resources.
- Combine with COOP and COEP for cross-origin isolation.
Related headers
Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.
Test my app