Add a new HTTP header that prevents documents and workers from loading non-same-origin requests unless explicitly allowed via CORS or CORP. Combined with Cross-Origin-Opener-Policy (COOP), this feature allows documents (and workers) to use powerful APIs such as SharedArrayBuffer.

Loading cross-origin no-cors resources is bad for security. Currently only renderer-based protection prevents web developers from accessing the contents of such resources, but Spectre-like attacks will allow malicious web developers to allow any memory in the renderer process. We will be able to allow web developers to use APIs which can be abused for such attacks. One such example is SharedArrayBuffer.



Editor's draft

Status in Chromium


In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Public support
  • No public signals
  • No public signals
  • No signals


Last updated on 2019-10-10