Questions tagged [cross-origin-resource-policy]

Use this tag when you see error messages related to the Cross-Origin-Resource-Policy HTTP response header.

CORP is a way of causing browsers to enforce a even-stricter same-origin policy than the default same-origin policy that browsers already use. In that that sense, CORP can be seen as the opposite of CORS (which is about relaxing the default same-origin policy).

CORP only affects cross-origin requests that can already be made without requiring CORS to relax the same-origin policy — such as cross-origin requests for images, CSS stylesheets, and for JavaScript scripts. CORP does not block browsers from making such requests but instead causes browsers to block documents/sites from being able to use the responses.

CORP policies are stated using the Cross-Origin-Resource-Policy response header.

58 questions

1016

votes

30 answers

"Cross origin requests are only supported for HTTP." error when loading a local file

I'm trying to load a 3D model, stored locally on my computer, into Three.js with JSONLoader, and that 3D model is in the same directory as the entire website. I'm getting the "Cross origin requests are only supported for HTTP." error, but I don't…

asked May 25 '12 at 09:41

corazza

31,222
37
115
186

votes

0 answers

Iframe - performing SSO and accessing page behind authentication wall with iframe

I have 2 domains, one that hosts my app - myapp, and the other that hosts gooddata dashboards - analytics.myapp. I would like to embed a gooddata dashboard to a page in my app. I have set the frame-src to allow requests from the domain where the…

iframe single-sign-on gooddata cross-origin-embedder-policy cross-origin-resource-policy

asked Dec 06 '17 at 08:32

Leff

1,968
24
97
201

votes

6 answers

Helmet Express ERR_BLOCKED_BY_RESPONSE.NotSameOrigin 200

please I need help, I checked on all google and not get really answer for to open my issue. I want to use helmet to secure my express server. But when I am using it I get this error : ERR_BLOCKED_BY_RESPONSE.NotSameOrigin 200 for loaded my images…

express cors helmet.js cross-origin-embedder-policy cross-origin-resource-policy

asked Jan 18 '22 at 08:56

jeremyl

votes

1 answer

How to prevent ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep?

I am attempting to access my movie API that returns data including an image of a movie poster through a React application. This image is being requested from an external website. Each time I make a request to my \movies endpoint, the image is…

node.js express cors cross-origin-embedder-policy cross-origin-resource-policy

asked Nov 03 '21 at 23:32

Myles Jefferson

votes

0 answers

Firebase Auth in Cross-Origin-Isolated mode?

I am working on a web app, which runs compute-intensive code using Emscripten's multithreaded WASM and therefore needs SharedArrayBuffers. Those only work if my app is in Cross-Origin-Isolated mode. And to enable that, I have to set the following…

firebase cross-origin-embedder-policy cross-origin-opener-policy cross-origin-resource-policy

asked Sep 14 '21 at 14:42

AUser

votes

0 answers

How is CORP different from CORS?

I am not a security specialist and have difficulty figuring out the difference between Cross-Origin Resource Policy and CORS. I see that both rely on a header sent by the server, and trusts the browser to not allow server content to be delivered to…

cors cross-origin-resource-policy

asked Jul 14 '22 at 15:41

Old Geezer

14,854
31
111
198

votes

0 answers

Firebase auth breaks with cross origin isolation (i.e. when using Cross-Origin-Resource-Policy)

I am trying to make a website cross origin isolated, and enabled the following headers on my site: https://web.dev/cross-origin-isolation-guide/ Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Firebase auth uses a…

firebase-authentication cross-origin-embedder-policy cross-origin-resource-policy

asked Sep 15 '21 at 17:25

Kartik Ayyar

votes

1 answer

cross origin resource policy issue when playing files from s3 on deployed app

I have a deployed app on Heroku that allows me to play audio files. You can check it out here https://telecurve.herokuapp.com/manage. Before I had no issues playing the files in Heroku but after I modified my server.js file (my app is an Express app…

node.js reactjs amazon-s3 cors cross-origin-resource-policy

asked Jul 30 '21 at 13:03

Juliette

4,309
2
14
31

votes

0 answers

How to fix cors on s3

I set up CORS on s3 using https://docs.aws.amazon.com/AmazonS3/latest/userguide/ManageCorsUsing.html. On my site I am using ckeditor to upload an image which sends it to s3. problem is, the POST works but GET does not. fails…

amazon-s3 cross-origin-resource-policy

asked May 12 '21 at 16:53

shorif2000

2,582
12
65
137

votes

2 answers

Is it possible to embed a cross-origin-isolated iframe inside a normal page?

(For some people, this question may equal to "if I can't use sharedArrayBuffer in my main site, can I open an iframe and use sharedArrayBuffer inside the iframe?") So I want to use some wasm with sharedArrayBuffer in my site, but it's impractical to…

webassembly sharedarraybuffer cross-origin-embedder-policy cross-origin-opener-policy cross-origin-resource-policy

asked Sep 25 '21 at 03:04

ZYinMD

3,602
1
23
32

votes

1 answer

Recaptcha V2 not working after adding COEP headers (Cross Origin Isolation)

I am using SharedArrayBuffer for some of functionalities in one of the webapp. On Chrome version 92 I have enabled cross origin isolation as per instructions here and added following headers to root page and wasm files. Cross-Origin-Resource-Policy:…

google-chrome recaptcha webassembly cross-origin-embedder-policy cross-origin-resource-policy

asked Jul 28 '21 at 16:02

humbledor

votes

1 answer

How to handle CORS for web workers?

In one of my js files (game.js), web workers are used which causes problems for CORS. From game.js: var engine = new Worker(options.machinejs|| 'static/js/mainjs/machine.js'); First problem I got was about SharedArrayBuffer is not defined and I…

javascript python flask cross-origin-embedder-policy cross-origin-resource-policy

asked Nov 29 '22 at 11:21

K.Yazoglu

votes

1 answer

Can we use CrossOrigin * (wildcard) in production

what is the difference when you use a specific cross origin and when you put * ? for example @CrossOrigin(origins = localhost:8080) or @CrossOrigin(origins = "*") does it have any security issue if it is * ?

java spring security cross-origin-resource-policy

asked Aug 23 '21 at 13:35

user16732644

votes

1 answer

Using Youtube iframe api in cross origin isolated site

My project uses multiple threads and SharedArrayBuffer. In firefox, to use SharedArrayBuffer, your site needs to be cross origin isolated. This will also be coming to chrome and edge. So I isolated the site by setting these headers from the node.js…

javascript cross-origin-embedder-policy cross-origin-resource-policy

asked Jul 09 '21 at 05:46

Ontropy

votes

0 answers

After upgrading chrome to 83, the browser blocked the response of the server interface

chrome 81 The server is configured with a response header 'Cross-Origin-Opener-Policy':'same-origin', 'Cross-Origin-Embedder-Policy':'require-corp', No problem with the browser's access to the server's interface chrome 83 The server is…

google-chrome nginx cross-origin-opener-policy cross-origin-embedder-policy cross-origin-resource-policy

asked Jun 09 '20 at 16:06

shizhouhu

2 3 4 Next