Home/ Glossary/ Cross-Origin Resource Policy

Cross-Origin Resource Policy (CORP)

Security Glossary - Security Headers

Definition: Cross-Origin Resource Policy (CORP) is a header set on individual resources (images, scripts, etc.) that controls which origins can embed them. Values include same-origin (only the same origin), same-site (same site including subdomains), and cross-origin (any origin). It protects resources from being embedded by malicious pages.

The Importance of CORP

CORP complements COEP by allowing resource servers to explicitly control who can load their resources. When COEP: require-corp is active on a page, all cross-origin resources must either have CORS headers or a CORP: cross-origin header to be loaded. This creates a two-way consent model for resource sharing.

Without CORP, any website can embed your images, scripts, or other resources. While hotlinking is often just a bandwidth concern, it can also be a security issue. An attacker's page loading your resources in the context of COEP-protected page can create Spectre-exploitable situations.

For most website operators, the primary concern is ensuring your resources work correctly on pages that use COEP. If your CDN or static assets are loaded cross-origin (even from a different subdomain), they may need CORP: cross-origin headers to continue working on COEP-enabled pages.

How to Verify

A security audit identifies resources that may need CORP headers. If you serve resources loaded by other origins, consider adding Cross-Origin-Resource-Policy: cross-origin to those resources. If your resources should only be loaded by your own site, use same-origin.

See how your site handles CORP

Run a Security Audit

CORP FAQ

Do I need CORP on all my resources?
Only if consumers of your resources use COEP: require-corp. However, setting CORP proactively is good practice. Use same-origin for resources that should only be loaded by your own origin, and cross-origin for truly public resources like CDN assets.
What is the difference between CORS and CORP?
CORS controls whether JavaScript can read the response of a cross-origin request (via fetch/XHR). CORP controls whether a resource can be loaded at all by a cross-origin page (including via HTML tags like img and script). They serve complementary purposes.

Related Concepts

Cross-Origin Embedder Policy Cross-Origin Opener Policy Cross-Origin Resource Sharing Security Headers Overview Content Security Policy
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.