From 7320ff0414fe9db4a217e7ccbe278384bd7e51ed Mon Sep 17 00:00:00 2001
From: Andrei Aaron <aaaron@luxoft.com>
Date: Thu, 16 Jan 2025 18:39:16 +0000
Subject: [PATCH] fix(headers): set Cross-Origin-Resource-Policy header for UI
 requests

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
---
 pkg/extensions/extension_ui.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/extensions/extension_ui.go b/pkg/extensions/extension_ui.go
index abb7a362d..9fcaa93f9 100644
--- a/pkg/extensions/extension_ui.go
+++ b/pkg/extensions/extension_ui.go
@@ -40,6 +40,9 @@ func addUISecurityHeaders(h http.Handler) http.HandlerFunc { //nolint:varnamelen
 		w.Header().Set("Permissions-Policy", permissionsPolicy)
 		w.Header().Set("X-Content-Type-Options", "nosniff")
 		w.Header().Set("X-Frame-Options", "DENY")
+		w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
+		w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
+		w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
 
 		cspDirectives := []string{
 			"default-src 'none'",