Cross-Origin-Resource-Policy (CORP) is an HTTP response header that lets a resource declare who may embed it: same-origin, same-site or any cross-origin site. It protects assets from being loaded by other sites and defends against side-channel attacks like Spectre by limiting cross-origin reads.
CORP is set on individual resources (images, scripts, JSON) to say which origins are allowed to embed them. It reduces resource theft and cross-origin data-leak risks, and it is the mechanism COEP relies on for opting resources into embedding.
Check your website
See how your site handles cross-origin-resource-policy (corp): who may embed your resources — free, no account needed.
For business owners
CORP stops other websites from freely embedding your images, scripts and data, which protects bandwidth, content and — importantly — reduces exposure to side-channel attacks. It is a straightforward header to apply to sensitive or proprietary resources.
How it works (technical)
Set per resource:
Cross-Origin-Resource-Policy: same-origin
Values: same-origin (only your exact origin may embed it), same-site (your site including subdomains), and cross-origin (any site — required for public CDN assets and for resources loaded by COEP-enabled pages elsewhere). CORP helps mitigate speculative-execution side channels (Spectre) by preventing sensitive cross-origin responses from being loaded into another origin. Apply same-origin or same-site to private assets and cross-origin to intentionally public ones.
Real-world example
A media site found other domains hot-linking its images, inflating bandwidth costs. Setting Cross-Origin-Resource-Policy: same-site on those images blocked external embedding while keeping them available across its own subdomains.
Why it matters
CORP limits who can embed your resources, protecting assets and reducing side-channel exposure. It is also the opt-in mechanism COEP requires for cross-origin resources.
How to fix it
Add
Cross-Origin-Resource-Policy: same-originto private resources.Use
same-sitefor assets shared across your subdomains.Use
cross-originonly for genuinely public assets (e.g. a public CDN).Set CORP on resources that COEP-enabled pages need to embed.
Verify legitimate cross-site usage still works after applying.
Best practices
Default private and sensitive resources to same-origin or same-site.
Reserve cross-origin for assets you intend to be publicly embeddable.
Coordinate CORP with any COEP requirements on consuming pages.
Common mistakes
Setting cross-origin everywhere, negating the protection.
Applying same-origin to public CDN assets and breaking legitimate embedding.
Forgetting CORP is needed for resources used by COEP-isolated pages.
Frequently asked questions
What does CORP protect?
It controls which origins may embed a given resource, protecting your assets from external embedding and reducing cross-origin data-leak and side-channel risks.
How is CORP different from CORS?
CORS governs which origins may read responses via scripts; CORP governs which origins may embed a resource at all. They are complementary.
What value should public assets use?
cross-origin, so any site (and COEP-enabled pages) can embed them. Private assets should use same-origin or same-site.
Does CORP relate to Spectre?
Yes. By preventing sensitive cross-origin responses from being embedded elsewhere, CORP helps mitigate speculative-execution side-channel attacks.
Is CORP required for COEP?
Cross-origin resources loaded by a COEP: require-corp page must send CORP: cross-origin (or pass CORS), so yes in that scenario.
Where do I set CORP?
As an HTTP response header on individual resources, configured in your server, framework or CDN.
Will CORP stop hot-linking?
same-origin or same-site CORP prevents other sites from embedding the resource, which stops cross-site hot-linking of those assets.
Is CORP widely supported?
Yes, modern browsers support it and older ones ignore it, so it degrades safely.
Put this into practice
See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.
Scan your website free