Missing Cross-Origin-Resource-Policy

Description

Cross-Origin Resource Policy (CORP) is an HTTP header that dictates which cross-origin resources can be loaded by your application. Without CORP, attackers may embed or manipulate your content from another domain, potentially leading to data leakage or unauthorized data sharing. This lack of restriction can also undermine full cross-origin isolation and impact features that rely on it, such as SharedArrayBuffer with higher precision timers. Moreover, missing CORP could allow malicious actors to inject cross-origin scripts or media that compromise user privacy or application integrity. Ultimately, not implementing CORP opens up your site to various cross-origin attacks that erode the trust and security of your environment.

Remediation

Set the Cross-Origin-Resource-Policy header in your server or framework configuration (e.g., 'same-origin', 'same-site', or 'cross-origin', depending on your needs). Ensure any necessary cross-origin resources explicitly declare their ability to be shared (for instance, via CORS). Review and adjust existing response headers, reverse proxies, or CDNs to maintain consistent CORP rules across your entire deployment. Deploying a Web Application Firewall (WAF) or strict network policies can also help detect and block malicious cross-origin requests. Regularly test and validate that your CORP setup protects sensitive resources while allowing legitimate cross-domain functionality.

References

Severity

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification