I’m trying to test the Cross-Origin-Resource-Policy (CORP) header to ensure it’s functioning as expected on my site. I’ve configured the Cross-Origin-Resource-Policy header with the value same-origin on my server (e.g., mysite.co.in)
. The goal is to verify that content from my site cannot be embedded on a different domain.
Set CORP Header on My Site:
Applied the header Cross-Origin-Resource-Policy: same-origin on mysite.co.in.
Tested Embedding from a Different Domain:
Created a simple HTML page on a different domain like on codepen with the following code:
html
<iframe src="https://mysite.co.in" width="1500" height="600" style="border: none;" title="Testing CORP"></iframe>
Expected Outcome:
The iframe should not load, and I should see an error in the browser console or network tab indicating that the content was blocked due to CORP.
Actual Outcome:Site working fine on codepen’s iframe