6

I am not a security specialist and have difficulty figuring out the difference between Cross-Origin Resource Policy and CORS. I see that both rely on a header sent by the server, and trusts the browser to not allow server content to be delivered to the requester in the browser should the server say so. Where did I understand it wrongly?

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Old Geezer
  • 14,854
  • 31
  • 111
  • 198
  • 4
    I agree the difference between CORP and CORS isn’t well described anywhere — not even at MDN. But do note that the MDN article at least says this: _“The policy is only effective for no-cors requests, which are issued by default for CORS-safelisted methods/headers.”_ That’s a key point: what that’s saying is, **CORP only affects cross-origin requests that can already be made without requiring CORS to relax the same-origin policy** — that is, requests which are already allowed by the same-origin policy, such as cross-origin requests for images, CSS stylesheets, and for JavaScript scripts. – sideshowbarker Jul 14 '22 at 22:13
  • This question is anyway probably better suited to https://security.stackexchange.com — and at https://security.stackexchange.com/a/262409/86150 actually already has an answer. To quote that: _“CORP is basically the opposite of CORS. CORP is a way of tightening the same-origin policy… it could in some cases protect a site's users from attacks that compromise the browser security model (as Spectre did/does) by not processing the response even in situations where same-origin policy would allow it (such as scripts or images).”_ – sideshowbarker Jul 14 '22 at 22:15

0 Answers0