Cross-Origin-Resource-Policy
Cross-Origin Resource Policy is a policy set by the Cross-Origin-Resource-Policy HTTP header that lets web sites and applications opt in to protection against certain requests from other origins (such as those issued with elements like <script>
and <img>
), to mitigate speculative side-channel attacks, like Spectre, as well as Cross-Site Script Inclusion attacks. CORP is an additional layer of protection beyond the default same-origin policy. Cross-Origin Resource Policy complements Cross-Origin Read Blocking (CORB), which is a mechanism to prevent some cross-origin reads by default.
Usage
This header is enabled by default but you can change its behavior like following.
export default defineNuxtConfig({
// Global
security: {
headers: {
crossOriginResourcePolicy: <OPTIONS>,
},
},
// Per route
routeRules: {
'/custom-route': {
security: {
headers: {
crossOriginResourcePolicy: <OPTIONS>,
},
},
}
}
})
You can also disable this header by crossOriginResourcePolicy: false
.
Default value
By default, Nuxt Security will set the following value for this header.
Cross-Origin-Resource-Policy: same-origin
Available values
The crossOriginResourcePolicy
header can be configured with following values.
crossOriginResourcePolicy: 'same-site' | 'same-origin' | 'cross-origin' | false;
same-site
Only requests from the same Site can read the resource.
same-origin
Only requests from the same origin (i.e. scheme + host + port) can read the resource.
cross-origin
Requests from any origin (both same-site and cross-site) can read the resource. This is useful when COEP is used (see below).
Relationship to COEP
here.