From e34242008b85c8a2dbd16cebb2b98c08064e226b Mon Sep 17 00:00:00 2001
From: Till <2353100+S7evinK@users.noreply.github.com>
Date: Wed, 10 Jan 2024 09:39:13 +0100
Subject: [PATCH] Add CORP header to `/download` and `/thumbnail` (#3299)

Part of #3222

https://github.com/matrix-org/matrix-spec-proposals/pull/3828
---
 mediaapi/routing/routing.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mediaapi/routing/routing.go b/mediaapi/routing/routing.go
index e0af4a91..5963eeaa 100644
--- a/mediaapi/routing/routing.go
+++ b/mediaapi/routing/routing.go
@@ -123,6 +123,7 @@ func makeDownloadAPI(
 
 		// Set internal headers returned regardless of the outcome of the request
 		util.SetCORSHeaders(w)
+		w.Header().Set("Cross-Origin-Resource-Policy", "cross-origin")
 		// Content-Type will be overridden in case of returning file data, else we respond with JSON-formatted errors
 		w.Header().Set("Content-Type", "application/json")