Security Headers: Access-Control-Allow-Origin vs. Cross-Origin-Resource-Policy (CORP)
Can someone explain the difference between the Access-Control-Allow-Origin header and the Cross-Origin-Resource-Policy header?
According to MDN:
The Access-Control-Allow-Origin response header indicates whether the response can be shared with requesting code from the given origin.
And:
Cross-Origin Resource Policy is a policy set by the Cross-Origin-Resource-Policy HTTP header that lets web sites and applications opt in to protection against certain requests from other origins (such as those issued with elements like and ), to mitigate speculative side-channel attacks, like Spectre, as well as Cross-Site Script Inclusion attacks.
CORP is an additional layer of protection beyond the default same-origin policy. Cross-Origin Resource Policy complements Cross-Origin Read Blocking (CORB), which is a mechanism to prevent some cross-origin reads by default.
As this policy is expressed via a response header, the actual request is not prevented—rather, the browser prevents the result from being leaked by stripping the response body.
What different things can be achieved with these two headers? I think the internet needs information about this, as security headers are still one of the major things done wrong and i could not find any information about the difference of these two headers.
