Add a new HTTP header that prevents documents and workers from loading non-same-origin requests unless explicitly allowed via CORS or CORP. Combined with Cross-Origin-Opener-Policy (COOP), this feature allows documents (and workers) to use powerful APIs such as SharedArrayBuffer.


Loading cross-origin no-cors resources is bad for security. Currently only renderer-based protection prevents web developers from accessing the contents of such resources, but Spectre-like attacks will allow malicious web developers to access any memory in the renderer process. We will be able to allow web developers to use APIs which can be abused for such attacks. One such example is SharedArrayBuffer.



Editor's draft

Status in Chromium


Enabled by default (tracking bug) in:

  • Chrome for desktop release 83
  • Chrome for Android release 83
  • Android WebView release 88

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • In development
  • No signal
  • No signal
  • No signals


Intent to Prototype url

Intent to Prototype thread

Last updated on 2021-05-18