Testing Cross-Origin-Resource-Policy (CORP) with an iframe – not working as expected

I’m trying to test the Cross-Origin-Resource-Policy (CORP) header to ensure it’s functioning as expected on my site. I’ve configured the Cross-Origin-Resource-Policy header with the value same-origin on my server (e.g., mysite.co.in). The goal is to verify that content from my site cannot be embedded on a different domain.

Set CORP Header on My Site:

Applied the header Cross-Origin-Resource-Policy: same-origin on mysite.co.in.

Tested Embedding from a Different Domain:

Created a simple HTML page on a different domain like on codepen with the following code:

html

<iframe src="https://mysite.co.in" width="1500" height="600" style="border: none;" title="Testing CORP"></iframe>

Expected Outcome:

The iframe should not load, and I should see an error in the browser console or network tab indicating that the content was blocked due to CORP.

Actual Outcome:Site working fine on codepen’s iframe