Cross-Origin-Resource-Policy (CORP) Configuration Guide

Cross-Origin-Resource-Policy (CORP)

Security is more important than ever, new threats are emerging daily in the internet world. Have you ever wondered how web browsers protect your data integrity when you visit different websites? Meet Cross-Origin-Resource-Policy (CORP), a cool tool to secure your online data.

Cross site requests are a big part of web security, especially in the context of CORS (Cross-Origin Resource Sharing). These requests involve browsers handling interactions between different origins, with headers like ‘Access-Control-Allow-Origin’ and ‘Access-Control-Allow-Credentials’ controlling permissions and access to sensitive data.

In short, CORP is a set of rules that browsers follow, limiting interactions between web pages. Thanks to CORP, your browser will not allow resources like images, scripts, or styles from one site to be used by another without your permission.

In this article, we will dive into the details of Cross-Origin-Resource-Policy (CORP) and we will also give you an overview of how your online safety is protected by this protocol. So read on if you want to know the role of CORP in web security.

What is Cross-Origin-Resource-Policy (CORP)?

Cross-Origin-Resource-Policy (CORP) is a security protocol that stops third-party attacks and protects user privacy. In short, CORP sets rules on how resources like images, scripts, and styles can be accessed and used by a webpage from external sources.

It limits interactions between websites, preventing resources from being compromised. By using specific policy headers in HTTP responses, CORP allows devs and sysadmins to specify which external domains can access resources from their site as explained in this Mozilla article, “Cross-Origin Resource Policy is a policy set by the Cross-Origin-Resource-Policy HTTP header that lets websites and applications opt-in to protection against certain requests from other origins”.

This gives control over security risks of cross-origin requests and prevents information theft and malicious script execution. Data provided by Webtechsurvey indicate that only 0,5% of websites out there use this header. That’s a pretty low number, unfortunately.

What is Cross-Origin-Resource-Policy (CORP)
What is Cross-Origin-Resource-Policy (CORP)

Cross-Origin-Resource-Policy role

Cross-Origin-Resource-Policy (CORP) controls how resources are shared between websites. By enforcing rules on resources loading from external origins CORP reduces the attack surface and protects users from content manipulation and data leakage.

‘access-control-allow-methods’ configuration is important along with CORP to manage resource access and security so that credentials are sent securely and requests are processed correctly without exposing the application to vulnerabilities.

This security protocol works by adding a specific HTTP header in server responses to tell browsers what resources and origins are allowed. In short, CORP is a digital shield that secures online data and lets users have a safer web experience while browsing.

What are cross-origin resources?

A cross-origin resource is a resource like images, scripts, or data that comes from a different domain than the one displayed in the web browser. Same-origin policy is a web security principle that restricts web pages from making requests to domains other than the one serving the original page and prevents unauthorized data access and cross-site request attacks.

When a web page loads resources from a different origin, it’s a cross-origin request. Cross-Origin Resource Sharing (CORS) is an example of a mechanism that lets servers specify which origins can access their resources. Through HTTP headers, protocols like CORS and CORP let servers declare which domains can make requests to their resources. Returning the correct Access-Control headers like Access-Control-Allow-Origin and Access-Control-Allow-Headers in the server response is important to allow certain requests and prevent vulnerabilities like CSRF (Cross-Site Request Forgery).

Is CORP the same as CORS?

No, CORP (Cross-Origin-Resource-Policy) and CORS (Cross-Origin Resource Sharing) are two different concepts in web security.

CORS is a protocol that lets web servers specify which origins can access their resources. It provides controlled access to resources across different origins bypassing same-origin policy in web browsers. CORS works through HTTP headers sent by the server in response to cross-origin requests to tell if the requested resource can be shared and under what conditions.

You should implement ‘Access-Control-Allow-Credentials’ along with ‘Access-Control-Allow-Origin’ in CORS. Using ‘*’ for ‘Access-Control-Allow-Origin’ and ‘true’ for ‘Access-Control-Allow-Credentials’ can lead to security vulnerabilities and blocked requests in some browsers. So returning specific origins is necessary to send credentials securely.

Meanwhile, CORP is a security policy that lets developers and sysadmins control how their resources are embedded on external websites. CORP focuses on preventing cross-origin attacks by defining rules for loading resources (like images, scripts, and styles) from external origins. We can set policies to allow or deny external domains to use our resources.

CORS controls access to resources across different origins and CORP defines rules for embedding resources from one origin to another. Although they are different, it’s a good idea to use them together as they both help in securing cross-origin interactions.

Cross-Origin-Resource-Policy browser support

CanIUse.com states that all major web browsers support CORP nowadays:

  • Safari was the first one to support it starting in September 2018.
  • The next one was Google Chrome in March 2019.
  • A month later in April 2019, Opera started to support CORP too.
  • Support for it on Microsoft Edge was included in January 2020.
  • The last one to arrive at the party was Mozilla Firefox, starting in March 2020.

Cross-Origin Resources and Security

Cross-origin resources are a crucial part of web security as they can be used to launch attacks like cross-site scripting (XSS) and cross-site request forgery (CSRF). The same-origin policy is a security mechanism that restricts web pages from making requests to domains other than the one serving the original page. However, this policy can be bypassed using techniques like JSONP or Cross-Origin Resource Sharing (CORS).

CORS is a mechanism that lets web servers specify which origins can access their resources. It’s an opt-in mechanism, meaning the server must explicitly allow cross-origin requests. The Access-Control-Allow-Origin header is used to specify which origins can access a resource and manage cross-origin resource sharing.

Cross-Origin Resource Policy (CORP) is a security feature that lets devs and sysadmins control how their resources are embedded on external websites. Unlike CORS which controls access to resources across different origins, CORP controls the loading and usage of cross-origin resources. By setting specific policies CORP prevents unauthorized use of resources and secures the web.

Cross-Origin-Resource-Policy examples

Let’s see a few examples illustrating the use of Cross-Origin-Resource-Policy (CORP):

Restricting Cross-Origin access:

Employing the CORP header with the value same-origin enforces a stringent policy where resources are exclusively accessible to pages from the same origin, preventing access from other domains.

Cross-Origin-Resource-Policy: same-origin

Allowing Cross-Origin access from a specific domain:

By specifying a particular external domain in the CORP header with the cross-origin directive, resources become accessible exclusively from that domain while being restricted from other origins.

Cross-Origin-Resource-Policy: cross-origin https://example.com

Allowing Cross-Origin access from anywhere:

Granting access from any origin is achieved by utilizing the cross-origin directive without specifying a particular domain in the CORP header.

Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Resource-Policy (CORP)

Our examples above shows how CORP headers can be configured to manage and restrict cross-origin resource loading based on different policies. When a browser makes a cross-origin request under the CORS mechanism, it first sends a ‘preflight’ request to the server to get permission. If the server allows it, then the browser sends the ‘actual request’ to access resources from a different origin.

How to configure Cross-Origin-Resource-Policy (CORP)

Let’s see how to set the CORP header under popular web servers such as Apache and Nginx. The process is pretty straightforward for both and involves editing the web server’s config files and restarting it.

Enabling Cross-Origin-Resource-Policy in Apache

In Apache, you can use the Header directive to set the Cross-Origin-Resource-Policy header. You can add the following lines to your Apache configuration file (e.g., httpd.conf or a virtual host configuration file):

<IfModule mod_headers.c>
Header set Cross-Origin-Resource-Policy "same-origin"
</IfModule>

This example sets the CORP header to same-origin, restricting cross-origin access.
Don’t forget to restart Apache:

systemctl restart apache2

Setting up Cross-Origin-Resource-Policy in Nginx

In Nginx, you can use the add_header directive to set the Cross-Origin-Resource-Policy header. Add the following lines to your Nginx configuration file (e.g., nginx.conf or a server block configuration):

add_header Cross-Origin-Resource-Policy "same-origin";

This example, similar to our Apache example, sets the CORP header to same-origin.

Remember to restart or reload your web server after making these changes to apply the new configurations.

systemctl restart nginx

Please keep in mind that you can adjust the value of the header based on your specific requirements, such as allowing cross-origin access from specific domains or from any origin.

Configuring Cross-Origin-Resource-Policy (CORP) on IIS

Enabling the Cross-Origin-Resource-Policy (CORP) header on IIS is pretty easy, let’s see how it’s done.

  1. Open the IIS Manager, select your site, and access HTTP Response Headers.
  2. Click the Add button to set the header:
    • Name: Cross-Origin-Resource-Policy
    • Value: same-origin (or another one, depending on your needs)
  3. Save the new settings and restart the site on IIS.

How to test the Cross-Origin-Resource-Policy settings

Make sure to check our guide below to test your settings:

  1. Start by accessing our http security scanner.
  2. Now input your domain in the scan box.
  3. Make sure to tick the two boxes below, named ‘Clear cache’ and ‘Follow redirects’.
  4. Click the Scan button.
  5. Scroll down to the section named ‘HTTP Security Headers’, and look for your ‘Cross-Origin-Resource-Policy’ test results: a ‘Passed’ in green means that you’re good to go, but getting a ‘Failed’ in red means that you will have to update your settings.
Cross-Origin-Resource-Policy test results

CORP Troubleshooting

CORP troubleshooting can be tricky but here are some common issues and their solutions:

  • CORP header not being sent: check your server config and make sure the CORP header is being sent in the HTTP response. Verify the header is included and formatted correctly.
  • CORP header being ignored: check if the browser supports CORP and the header is being sent correctly. Check if the CORP header is not being overridden by other security headers.
  • Resources not loading: if resources are not loading, the CORP policy might be too restrictive. Check the policy is correct and the resources are being loaded from an allowed origin.

By following these you should be able to troubleshoot and fix common CORP issues and have your resources protected and accessible as expected.

CORP Best Practices

Implementing CORP requires considering security, compatibility and performance. Here are some best practices:

  • Use a strict CORP policy: use a strict CORP policy to restrict access to sensitive resources. This will prevent XSS and CSRF attacks.
  • Use an allow list: specify which origins are allowed to access resources using an allow list. This will prevent unauthorized access to your resources.
  • Test thoroughly: test thoroughly your CORP implementation to make sure it’s working and resources are loading as expected.
  • Monitor for issues: monitor for issues and adjust your CORP policy as needed. This will prevent problems and make sure resources are loading correctly.

By following these best practices you can implement CORP and secure your web applications.

Cross-Origin-Resource-Policy (CORP) FAQ

Let’s answer some common questions about CORP.

Using ‘same site’ will limit access to certain resources for security purposes especially when resources need to be shared within a site and not across different origins.

What is CORP?

CORP stands for Cross-Origin-Resource-Policy. It’s a security header that controls how resources (images, scripts etc) are loaded from external origins or domains. CORP prevents certain cross-origin attacks and increases web security by defining rules for resource access.

Is CORP a vulnerability?

No, CORP is not a vulnerability. It’s a security feature that mitigates vulnerabilities related to cross-origin requests. By allowing web developers and sysadmins to define policies for resource loading CORP helps to increase website security. When configured correctly it will prevent unauthorized access to resources.

Can I allow resources from specific external domains with CORP?

Yes, you can use CORP to specify which external domains can access resources on your website. By setting the CORP header with the correct directives you can control cross-origin resource loading. For example setting the header to “cross-origin https://example.com” will allow resources to be loaded from https://example.com and block access from other origins. This gives you the flexibility to grant access based on your needs and secure your web pages.

What are the challenges of Cross-Origin-Resource-Policy?

Implementing CORP may break existing web content if resources rely on cross-origin requests for functionality. But that’s not all: enforcing a strict CORP policy without testing may break certain features or cause unexpected behavior. So devs need to carefully evaluate the impact of CORP on their website and test thoroughly before deploying it to production.

Is Cross-Origin-Resource-Policy (CORP) same as Content-Security-Policy (CSP)?

No. Content-Security-Policy (CSP) is about mitigating attacks like XSS and data injection by defining which sources of content can be loaded, CORP is about controlling cross-origin resource loading and usage.

Conclusion

Cross-Origin-Resource-Policy is a set of rules that browsers follow when you visit different websites. CORP makes sure images, scripts or styles from one site can’t be used by another without your permission. It lets developers and sysadmins decide which other websites can use their resources.

It’s not the same as CORS (Cross-Origin Resource Sharing). CORS allows different websites to share data, CORP is about rules for using resources from one place to another site. Using both together is good for your website security.

Scroll to Top