Add a new HTTP header that prevents documents and workers from loading non-same-origin requests unless explicitly allowed via CORS or CORP. Combined with Cross-Origin-Opener-Policy (COOP), this feature allows documents (and workers) to use powerful APIs such as SharedArrayBuffer.


Loading cross-origin no-cors resources is bad for security. Currently only renderer-based protection prevents web developers from accessing the contents of such resources, but Spectre-like attacks will allow malicious web developers to access any memory in the renderer process. We will be able to allow web developers to use APIs which can be abused for such attacks. One such example is SharedArrayBuffer.



Specification link

Unknown standards status - check spec link for status

Status in Chromium


Enabled by default (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • In development
  • No signal
  • No signals


Intent to Prototype url

Intent to Prototype thread

Last updated on 2021-12-13