diff --git a/webapp/handlers.py b/webapp/handlers.py index dbdb0ca31..d65fc5a80 100644 --- a/webapp/handlers.py +++ b/webapp/handlers.py @@ -146,7 +146,7 @@ def add_headers(response): resources without credentials - Cross-Origin-Opener-Policy: enable the page to open pop-ups while maintaining same-origin policy - - Cross-Origin-Resource-Policy: allowing only same-origin requests to + - Cross-Origin-Resource-Policy: allowing cross-origin requests to access the resource - X-Permitted-Cross-Domain-Policies: disallows cross-domain access to resources @@ -159,6 +159,6 @@ def add_headers(response): response.headers["Cross-Origin-Opener-Policy"] = ( "same-origin-allow-popups" ) - response.headers["Cross-Origin-Resource-Policy"] = "same-site" + response.headers["Cross-Origin-Resource-Policy"] = "cross-origin" response.headers["X-Permitted-Cross-Domain-Policies"] = "none" return response