diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index bb9c806d..e3d01146 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -88,6 +88,7 @@ http {
         root /var/empty;
 
         include snippets/security-headers.conf;
+        add_header Cross-Origin-Resource-Policy "same-origin";
 
         return 301 https://grapheneos.org$request_uri;
     }
@@ -100,6 +101,7 @@ http {
         root /var/empty;
 
         include snippets/security-headers.conf;
+        add_header Cross-Origin-Resource-Policy "same-origin";
 
         return 302 https://github.com/GrapheneOS/Vanadium;
     }
@@ -211,12 +213,14 @@ http {
         location = /404 {
             internal;
             include snippets/security-headers.conf;
+            add_header Cross-Origin-Resource-Policy "same-origin";
             include snippets/preload.conf;
         }
 
         location = /404.html {
             internal;
             include snippets/security-headers.conf;
+            add_header Cross-Origin-Resource-Policy "same-origin";
             include snippets/preload.conf;
         }
 
@@ -232,6 +236,7 @@ http {
 
         location ~ "\.css$" {
             include snippets/security-headers.conf;
+            add_header Cross-Origin-Resource-Policy "same-origin";
             add_header Cache-Control "public, max-age=31536000, immutable";
         }
 
@@ -242,6 +247,7 @@ http {
 
         location ~ "\.woff2$" {
             include snippets/security-headers.conf;
+            add_header Cross-Origin-Resource-Policy "same-origin";
             add_header Cache-Control "public, max-age=31536000, immutable";
             gzip_static off;
             brotli_static off;
@@ -300,6 +306,7 @@ http {
         root /srv/mta-sts;
 
         include snippets/security-headers.conf;
+        add_header Cross-Origin-Resource-Policy "same-origin";
     }
 
     server {