Cross-Origin-Resource-PolicyCross-Origin-Resource-Policy (CORP) is a security header by which a server declares which origins' documents may fetch (embed) this resource in no-cors mode. The resource owner narrows the embedding scope to same-origin/same-site/cross-origin to defend against Spectre-class side-channel leaks.
Where CORS governs 'can script read the response body', CORP governs 'can this resource be fetched (loaded) at all' at origin granularity. Images, scripts, and media loaded in no-cors enter memory even though script cannot directly read their pixels/body, and speculative-execution attacks like Spectre can siphon that memory via side channels. CORP: same-origin blocks such resources from ever entering a cross-origin document's process.
The values are same-origin (exactly the same origin), same-site (same registrable domain and scheme), and cross-origin (anyone). Public CDN assets, fonts, and shared images must be opened with cross-origin to load correctly on other sites, while private/internal resources are locked down with same-origin/same-site.
CORP is also a satisfaction condition for COEP: require-corp. Every cross-origin resource embedded by a page seeking crossOriginIsolated must carry CORP: cross-origin (or CORS) to load under require-corp. So if a CDN does not give its assets CORP: cross-origin, those assets break on an isolated page.
Cross-Origin-Resource-Policy: <same-site | same-origin | cross-origin>e.g. Cross-Origin-Resource-Policy: same-origin
same-origin | Only documents of the exact same origin may embed/load this resource in no-cors. |
same-site | Only documents of the same site (registrable domain, including scheme) may load it. |
cross-origin | Allows any origin to load the resource; used for CDN and public assets. |