diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 35234442..bb9c806d 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -114,6 +114,7 @@ http {
         error_page 404 /404.html;
 
         include snippets/security-headers.conf;
+        add_header Cross-Origin-Resource-Policy "same-origin";
         gzip_static on;
         brotli_static on;
 
@@ -266,6 +267,7 @@ http {
             include snippets/security-headers-base.conf;
             add_header Content-Security-Policy "default-src 'none'; child-src 'self'; connect-src 'self' https://releases.grapheneos.org/; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'" always;
             add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), xr-spatial-tracking=()" always;
+            add_header Cross-Origin-Resource-Policy "same-origin";
             add_header Cache-Control "public, no-cache";
             include snippets/preload.conf;
             try_files $uri.html =404;
@@ -273,6 +275,7 @@ http {
 
         location / {
             include snippets/security-headers.conf;
+            add_header Cross-Origin-Resource-Policy "same-origin";
             add_header Cache-Control "public, no-cache";
             include snippets/preload.conf;
             try_files $uri $uri.html $uri/ =404;