Cross-Origin-Resource-Policy Header Missing or Invalid
Risk Level: Low
Confidence: 2
Description
Cross-Origin-Resource-Policy header is an opt-in header designed to counter side-channels attacks like Spectre. Resource should be specifically set as shareable amongst different origins.
Solution
Ensure that the application/web server sets the Cross-Origin-Resource-Policy header appropriately, and that it sets the Cross-Origin-Resource-Policy header to 'same-origin' for all web pages.
'same-site' is considered as less secured and should be avoided.
If resources must be shared, set the header to 'cross-origin'.
If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Resource-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-resource-policy).
Reference
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
CWE ID: 693
WASC ID: 14
Example Instance
URL: https://localhost:44322
Method: GET
Parameter: Cross-Origin-Resource-Policy
This issue was automatically created from an OWASP ZAP security scan.
Alert detected on: 2026-02-18
Plugin ID: 90004
Scan Metadata
- Branch:
main
- Template Source: NuGet.org
- Clean Template Version: 7.0.5
- Umbraco CMS Version: 17.1.0
Cross-Origin-Resource-Policy Header Missing or Invalid
Risk Level: Low
Confidence: 2
Description
Cross-Origin-Resource-Policy header is an opt-in header designed to counter side-channels attacks like Spectre. Resource should be specifically set as shareable amongst different origins.
Solution
Ensure that the application/web server sets the Cross-Origin-Resource-Policy header appropriately, and that it sets the Cross-Origin-Resource-Policy header to 'same-origin' for all web pages.
'same-site' is considered as less secured and should be avoided.
If resources must be shared, set the header to 'cross-origin'.
If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Resource-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-resource-policy).
Reference
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
CWE ID: 693
WASC ID: 14
Example Instance
URL:
https://localhost:44322Method: GET
Parameter:
Cross-Origin-Resource-PolicyThis issue was automatically created from an OWASP ZAP security scan.
Alert detected on: 2026-02-18
Plugin ID: 90004
Scan Metadata
main