Note: Due to a bug in Chrome, setting Cross-Origin-Resource-Policy can break file downloads, preventing visitors using Save as or Save image as on resources with the CORP header. Exercise caution when deciding to use this feature in a production environment.

The HTTP Cross-Origin-Resource-Policy response header conveys a desire that the browser block no-cors cross-origin/cross-site requests to the given resource.

Header type Response header
Forbidden header name no


Cross-Origin-Resource-Policy: same-site | same-origin


The response header below will cause compatible user agents to disallow cross-origin no-cors requests:

Cross-Origin-Resource-Policy: same-origin


Specification Status Comment
Fetch Living Standard Initial definition

Browser compatibility

Update compatibility data on GitHub
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidEdge MobileFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
Cross-Origin-Resource-PolicyChrome Full support 73Edge No support NoFirefox No support NoIE No support NoOpera No support NoSafari Full support 12WebView Android Full support 73Chrome Android Full support 73Edge Mobile No support NoFirefox Android No support NoOpera Android No support NoSafari iOS Full support 12Samsung Internet Android No support No


Full support  
Full support
No support  
No support

See also

Document Tags and Contributors

Contributors to this page: lol768, Malvoz
Last updated by: lol768,