Cross-Origin-Resource-Policy

Enabled Protect against certain requests from other origins.


Cross-Origin Resource Policy is a policy set by the Cross-Origin-Resource-Policy HTTP header that lets web sites and applications opt in to protection against certain requests from other origins (such as those issued with elements like <script> and <img>), to mitigate speculative side-channel attacks, like Spectre, as well as Cross-Site Script Inclusion attacks. CORP is an additional layer of protection beyond the default same-origin policy. Cross-Origin Resource Policy complements Cross-Origin Read Blocking (CORB), which is a mechanism to prevent some cross-origin reads by default.

ℹ Read more about this header here.

Usage

This header is enabled by default but you can change its behavior like following.

export default defineNuxtConfig({
  // Global
  security: {
    headers: {
      crossOriginResourcePolicy: <OPTIONS>,
    },
  },

  // Per route
  routeRules: {
    '/custom-route': {
      security: {
        headers: {
          crossOriginResourcePolicy: <OPTIONS>,
        },
      },
    }
  }
})

You can also disable this header by crossOriginResourcePolicy: false.

Default value

By default, Nuxt Security will set the following value for this header.

Cross-Origin-Resource-Policy: same-origin

Available values

The crossOriginResourcePolicy header can be configured with following values.

crossOriginResourcePolicy: 'same-site' | 'same-origin' | 'cross-origin' | false;

same-site

Only requests from the same Site can read the resource.

⚠️ This is less secure than an origin. The algorithm for checking if two origins are same site is defined in the HTML standard and involves checking the registrable domain.

same-origin

Only requests from the same origin (i.e. scheme + host + port) can read the resource.

cross-origin

Requests from any origin (both same-site and cross-site) can read the resource. This is useful when COEP is used (see below).

ℹ Read more about Relationship to COEPhere.