From 596ced938b8f41c438993073ea761301bc6ca45d Mon Sep 17 00:00:00 2001 From: siyuniu-ms Date: Wed, 25 Sep 2024 15:25:13 -0700 Subject: [PATCH 1/7] add header --- .../applicationinsights-channel-js/src/Sender.ts | 5 +++++ .../JavaScriptSDK.Interfaces/IConfiguration.ts | 15 +++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/channels/applicationinsights-channel-js/src/Sender.ts b/channels/applicationinsights-channel-js/src/Sender.ts index 55c42665b..ce1cb75d7 100644 --- a/channels/applicationinsights-channel-js/src/Sender.ts +++ b/channels/applicationinsights-channel-js/src/Sender.ts @@ -81,6 +81,8 @@ const defaultAppInsightsChannelConfig: IConfigDefaults = objDeepF maxRetryCnt: {isVal: isNumber, v:10} }); +const CrossOriginResourcePolicyHeader: string = "AI-Cross-Origin-Resource-Policy"; + function _chkSampling(value: number) { return !isNaN(value) && value > 0 && value <= 100; } @@ -265,6 +267,9 @@ export class Sender extends BaseTelemetryPlugin implements IChannelControls { if (config.storagePrefix){ utlSetStoragePrefix(config.storagePrefix); } + if (config.crossOriginResourcePolicy){ + this.addHeader(CrossOriginResourcePolicyHeader, config.crossOriginResourcePolicy); + } let ctx = createProcessTelemetryContext(null, config, core); // getExtCfg only finds undefined values from core let senderConfig = ctx.getExtCfg(identifier, defaultAppInsightsChannelConfig); diff --git a/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IConfiguration.ts b/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IConfiguration.ts index ac30e3bc9..25ee8071a 100644 --- a/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IConfiguration.ts +++ b/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IConfiguration.ts @@ -214,4 +214,19 @@ export interface IConfiguration { * @since 3.3.2 */ expCfg?: IExceptionConfig; + + /** + * [Optional] Specifies the Cross-Origin Resource Policy (CORP) for the endpoint. + * This value is included in the response header as `Cross-Origin-Resource-Policy`, + * which helps control how resources can be shared across different origins. + * + * Possible values: + * - `same-site`: Allows access only from the same site. + * - `same-origin`: Allows access only from the same origin (protocol, host, and port). + * - `cross-origin`: Allows access from any origin. + * + * @since 3.3.3 + */ + crossOriginResourcePolicy?: string; + } From 35a5ee9bea865a6a0a21d14db1a7e0ea23d9f6b0 Mon Sep 17 00:00:00 2001 From: siyuniu-ms Date: Wed, 25 Sep 2024 16:05:15 -0700 Subject: [PATCH 2/7] add test --- .../Tests/Unit/src/Sender.tests.ts | 61 +++++++++++++++++++ .../src/Interfaces.ts | 14 +++++ .../src/Sender.ts | 1 + .../src/Interfaces/IConfig.ts | 13 ++++ .../IConfiguration.ts | 14 ----- 5 files changed, 89 insertions(+), 14 deletions(-) diff --git a/channels/applicationinsights-channel-js/Tests/Unit/src/Sender.tests.ts b/channels/applicationinsights-channel-js/Tests/Unit/src/Sender.tests.ts index e9ea85896..e2a23d0a7 100644 --- a/channels/applicationinsights-channel-js/Tests/Unit/src/Sender.tests.ts +++ b/channels/applicationinsights-channel-js/Tests/Unit/src/Sender.tests.ts @@ -2708,6 +2708,67 @@ export class SenderTests extends AITestClass { } }); + this.testCase({ + name: 'Users could set the cross-origin header via request', + useFakeTimers: true, + test: () => { + let core = new AppInsightsCore(); + let id = this._sender.identifier; + let coreConfig = { + instrumentationKey: 'abc', + crossOriginResourcePolicy: "cross-origin", + isBeaconApiDisabled: true, + customHeaders: [ + { + header: 'testHeader', + value: 'testValue' + } + ] + } + core.initialize(coreConfig, [this._sender]); + + let sendBeaconCalled = false; + this.hookSendBeacon((url: string) => { + sendBeaconCalled = true; + return true; + }); + + const telemetryItem: ITelemetryItem = { + name: 'fake item', + iKey: 'iKey', + baseType: 'some type', + baseData: {} + }; + + try { + this._sender.processTelemetry(telemetryItem, null); + this._sender.flush(); + } catch(e) { + QUnit.assert.ok(false); + } + + QUnit.assert.equal(1, this._getXhrRequests().length, "xhr sender is called"); + let headers = this._getXhrRequests()[0].requestHeaders; + QUnit.assert.equal(headers['AI-Cross-Origin-Resource-Policy'], 'cross-origin'); + QUnit.assert.ok(headers.hasOwnProperty('AI-Cross-Origin-Resource-Policy')); + QUnit.assert.notOk(this._getXhrRequests()[0].requestHeaders.hasOwnProperty('testHeader')); + + // dynamic change + core.config.crossOriginResourcePolicy = "same-origin"; + this.clock.tick(1); + try { + this._sender.processTelemetry(telemetryItem, null); + this._sender.flush(); + } catch(e) { + QUnit.assert.ok(false); + } + headers = this._getXhrRequests()[1].requestHeaders; + QUnit.assert.ok(headers.hasOwnProperty('AI-Cross-Origin-Resource-Policy')); + QUnit.assert.equal(headers['AI-Cross-Origin-Resource-Policy'], 'same-origin'); + QUnit.assert.notOk(this._getXhrRequests()[1].requestHeaders.hasOwnProperty('testHeader')); + } + }); + this.testCase({ name: 'Users are allowed to add customHeaders when endpointUrl is not Breeze.', test: () => { diff --git a/channels/applicationinsights-channel-js/src/Interfaces.ts b/channels/applicationinsights-channel-js/src/Interfaces.ts index 7d6a43142..4b002b8ce 100644 --- a/channels/applicationinsights-channel-js/src/Interfaces.ts +++ b/channels/applicationinsights-channel-js/src/Interfaces.ts @@ -166,6 +166,20 @@ export interface ISenderConfig { * @since 3.2.0 */ maxRetryCnt?: number; + + /** + * [Optional] Specifies the Cross-Origin Resource Policy (CORP) for the endpoint. + * This value is included in the response header as `Cross-Origin-Resource-Policy`, + * which helps control how resources can be shared across different origins. + * + * Possible values: + * - `same-site`: Allows access only from the same site. + * - `same-origin`: Allows access only from the same origin (protocol, host, and port). + * - `cross-origin`: Allows access from any origin. + * + * @since 3.3.3 + */ + crossOriginResourcePolicy?: string; } export interface IBackendResponse { diff --git a/channels/applicationinsights-channel-js/src/Sender.ts b/channels/applicationinsights-channel-js/src/Sender.ts index ce1cb75d7..69ab91282 100644 --- a/channels/applicationinsights-channel-js/src/Sender.ts +++ b/channels/applicationinsights-channel-js/src/Sender.ts @@ -78,6 +78,7 @@ const defaultAppInsightsChannelConfig: IConfigDefaults = objDeepF alwaysUseXhrOverride: cfgDfBoolean(), transports: UNDEFINED_VALUE, retryCodes: UNDEFINED_VALUE, + crossOriginResourcePolicy: UNDEFINED_VALUE, maxRetryCnt: {isVal: isNumber, v:10} }); diff --git a/shared/AppInsightsCommon/src/Interfaces/IConfig.ts b/shared/AppInsightsCommon/src/Interfaces/IConfig.ts index f4f292b77..1751242bf 100644 --- a/shared/AppInsightsCommon/src/Interfaces/IConfig.ts +++ b/shared/AppInsightsCommon/src/Interfaces/IConfig.ts @@ -390,6 +390,19 @@ export interface IConfig { */ userOverrideEndpointUrl?: string; + /** + * [Optional] Specifies the Cross-Origin Resource Policy (CORP) for the endpoint. + * This value is included in the response header as `Cross-Origin-Resource-Policy`, + * which helps control how resources can be shared across different origins. + * + * Possible values: + * - `same-site`: Allows access only from the same site. + * - `same-origin`: Allows access only from the same origin (protocol, host, and port). + * - `cross-origin`: Allows access from any origin. + * + * @since 3.3.3 + */ + crossOriginResourcePolicy?: string; } export class ConfigurationManager { diff --git a/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IConfiguration.ts b/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IConfiguration.ts index 25ee8071a..446e3cadc 100644 --- a/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IConfiguration.ts +++ b/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IConfiguration.ts @@ -215,18 +215,4 @@ export interface IConfiguration { */ expCfg?: IExceptionConfig; - /** - * [Optional] Specifies the Cross-Origin Resource Policy (CORP) for the endpoint. - * This value is included in the response header as `Cross-Origin-Resource-Policy`, - * which helps control how resources can be shared across different origins. - * - * Possible values: - * - `same-site`: Allows access only from the same site. - * - `same-origin`: Allows access only from the same origin (protocol, host, and port). - * - `cross-origin`: Allows access from any origin. - * - * @since 3.3.3 - */ - crossOriginResourcePolicy?: string; - } From e7032281edee37684d1acbecb6115aa3b93d26ca Mon Sep 17 00:00:00 2001 From: siyuniu-ms Date: Wed, 25 Sep 2024 16:06:37 -0700 Subject: [PATCH 3/7] Update IConfiguration.ts --- .../src/JavaScriptSDK.Interfaces/IConfiguration.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IConfiguration.ts b/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IConfiguration.ts index 446e3cadc..ac30e3bc9 100644 --- a/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IConfiguration.ts +++ b/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IConfiguration.ts @@ -214,5 +214,4 @@ export interface IConfiguration { * @since 3.3.2 */ expCfg?: IExceptionConfig; - } From e5bc8a3b26e0742ca3f90e5f15008b8567dccd9c Mon Sep 17 00:00:00 2001 From: siyuniu-ms Date: Wed, 25 Sep 2024 17:12:17 -0700 Subject: [PATCH 4/7] rename --- .../Tests/Unit/src/Sender.tests.ts | 12 +++++------- .../src/Interfaces.ts | 2 +- .../applicationinsights-channel-js/src/Sender.ts | 7 ++++--- shared/AppInsightsCommon/src/Interfaces/IConfig.ts | 14 -------------- .../src/JavaScriptSDK/DataCacheHelper.ts | 2 +- 5 files changed, 11 insertions(+), 26 deletions(-) diff --git a/channels/applicationinsights-channel-js/Tests/Unit/src/Sender.tests.ts b/channels/applicationinsights-channel-js/Tests/Unit/src/Sender.tests.ts index e2a23d0a7..98eeba447 100644 --- a/channels/applicationinsights-channel-js/Tests/Unit/src/Sender.tests.ts +++ b/channels/applicationinsights-channel-js/Tests/Unit/src/Sender.tests.ts @@ -2716,14 +2716,12 @@ export class SenderTests extends AITestClass { let id = this._sender.identifier; let coreConfig = { instrumentationKey: 'abc', - crossOriginResourcePolicy: "cross-origin", isBeaconApiDisabled: true, - customHeaders: [ - { - header: 'testHeader', - value: 'testValue' + extensionConfig: { + [this._sender.identifier]: { + corsPolicy: "cross-origin", } - ] + } } core.initialize(coreConfig, [this._sender]); @@ -2754,7 +2752,7 @@ export class SenderTests extends AITestClass { QUnit.assert.notOk(this._getXhrRequests()[0].requestHeaders.hasOwnProperty('testHeader')); // dynamic change - core.config.crossOriginResourcePolicy = "same-origin"; + core.config.extensionConfig[this._sender.identifier].corsPolicy = "same-origin"; this.clock.tick(1); try { this._sender.processTelemetry(telemetryItem, null); diff --git a/channels/applicationinsights-channel-js/src/Interfaces.ts b/channels/applicationinsights-channel-js/src/Interfaces.ts index 4b002b8ce..834c0082f 100644 --- a/channels/applicationinsights-channel-js/src/Interfaces.ts +++ b/channels/applicationinsights-channel-js/src/Interfaces.ts @@ -179,7 +179,7 @@ export interface ISenderConfig { * * @since 3.3.3 */ - crossOriginResourcePolicy?: string; + corsPolicy?: string; } export interface IBackendResponse { diff --git a/channels/applicationinsights-channel-js/src/Sender.ts b/channels/applicationinsights-channel-js/src/Sender.ts index 69ab91282..6eeab9ed6 100644 --- a/channels/applicationinsights-channel-js/src/Sender.ts +++ b/channels/applicationinsights-channel-js/src/Sender.ts @@ -268,12 +268,13 @@ export class Sender extends BaseTelemetryPlugin implements IChannelControls { if (config.storagePrefix){ utlSetStoragePrefix(config.storagePrefix); } - if (config.crossOriginResourcePolicy){ - this.addHeader(CrossOriginResourcePolicyHeader, config.crossOriginResourcePolicy); - } + let ctx = createProcessTelemetryContext(null, config, core); // getExtCfg only finds undefined values from core let senderConfig = ctx.getExtCfg(identifier, defaultAppInsightsChannelConfig); + if (senderConfig.corsPolicy){ + this.addHeader(CrossOriginResourcePolicyHeader, senderConfig.corsPolicy); + } if(isPromiseLike(senderConfig.endpointUrl)) { // if it is promise, means the endpoint url is from core.endpointurl senderConfig.endpointUrl = config.endpointUrl as any; diff --git a/shared/AppInsightsCommon/src/Interfaces/IConfig.ts b/shared/AppInsightsCommon/src/Interfaces/IConfig.ts index 1751242bf..878911921 100644 --- a/shared/AppInsightsCommon/src/Interfaces/IConfig.ts +++ b/shared/AppInsightsCommon/src/Interfaces/IConfig.ts @@ -389,20 +389,6 @@ export interface IConfig { * This URL takes precedence over the 'config.endpointUrl' and any endpoint in the connection string. */ userOverrideEndpointUrl?: string; - - /** - * [Optional] Specifies the Cross-Origin Resource Policy (CORP) for the endpoint. - * This value is included in the response header as `Cross-Origin-Resource-Policy`, - * which helps control how resources can be shared across different origins. - * - * Possible values: - * - `same-site`: Allows access only from the same site. - * - `same-origin`: Allows access only from the same origin (protocol, host, and port). - * - `cross-origin`: Allows access from any origin. - * - * @since 3.3.3 - */ - crossOriginResourcePolicy?: string; } export class ConfigurationManager { diff --git a/shared/AppInsightsCore/src/JavaScriptSDK/DataCacheHelper.ts b/shared/AppInsightsCore/src/JavaScriptSDK/DataCacheHelper.ts index 79f2e2bac..d910e73b5 100644 --- a/shared/AppInsightsCore/src/JavaScriptSDK/DataCacheHelper.ts +++ b/shared/AppInsightsCore/src/JavaScriptSDK/DataCacheHelper.ts @@ -6,7 +6,7 @@ import { normalizeJsName } from "./HelperFuncs"; import { STR_EMPTY } from "./InternalConstants"; import { newId } from "./RandomHelper"; -const version = "#version#"; +const version = '3.3.3'; let instanceName = "." + newId(6); let _dataUid = 0; From 9a7344166d87bebc54472557e58656e1997e1bf3 Mon Sep 17 00:00:00 2001 From: siyuniu-ms Date: Thu, 26 Sep 2024 18:51:16 -0700 Subject: [PATCH 5/7] based on comment --- .../Tests/Unit/src/Sender.tests.ts | 8 ++++---- channels/applicationinsights-channel-js/src/Sender.ts | 9 ++++++--- shared/AppInsightsCommon/src/Interfaces/IConfig.ts | 1 + .../AppInsightsCore/src/JavaScriptSDK/DataCacheHelper.ts | 2 +- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/channels/applicationinsights-channel-js/Tests/Unit/src/Sender.tests.ts b/channels/applicationinsights-channel-js/Tests/Unit/src/Sender.tests.ts index 98eeba447..d13ae8dea 100644 --- a/channels/applicationinsights-channel-js/Tests/Unit/src/Sender.tests.ts +++ b/channels/applicationinsights-channel-js/Tests/Unit/src/Sender.tests.ts @@ -2747,8 +2747,8 @@ export class SenderTests extends AITestClass { QUnit.assert.equal(1, this._getXhrRequests().length, "xhr sender is called"); let headers = this._getXhrRequests()[0].requestHeaders; - QUnit.assert.equal(headers['AI-Cross-Origin-Resource-Policy'], 'cross-origin'); - QUnit.assert.ok(headers.hasOwnProperty('AI-Cross-Origin-Resource-Policy')); + QUnit.assert.equal(headers['X-Cross-Origin-Resource-Policy'], 'cross-origin'); + QUnit.assert.ok(headers.hasOwnProperty('X-Cross-Origin-Resource-Policy')); QUnit.assert.notOk(this._getXhrRequests()[0].requestHeaders.hasOwnProperty('testHeader')); // dynamic change @@ -2761,8 +2761,8 @@ export class SenderTests extends AITestClass { QUnit.assert.ok(false); } headers = this._getXhrRequests()[1].requestHeaders; - QUnit.assert.ok(headers.hasOwnProperty('AI-Cross-Origin-Resource-Policy')); - QUnit.assert.equal(headers['AI-Cross-Origin-Resource-Policy'], 'same-origin'); + QUnit.assert.ok(headers.hasOwnProperty('X-Cross-Origin-Resource-Policy')); + QUnit.assert.equal(headers['X-Cross-Origin-Resource-Policy'], 'same-origin'); QUnit.assert.notOk(this._getXhrRequests()[1].requestHeaders.hasOwnProperty('testHeader')); } }); diff --git a/channels/applicationinsights-channel-js/src/Sender.ts b/channels/applicationinsights-channel-js/src/Sender.ts index 6eeab9ed6..27da891d2 100644 --- a/channels/applicationinsights-channel-js/src/Sender.ts +++ b/channels/applicationinsights-channel-js/src/Sender.ts @@ -82,7 +82,7 @@ const defaultAppInsightsChannelConfig: IConfigDefaults = objDeepF maxRetryCnt: {isVal: isNumber, v:10} }); -const CrossOriginResourcePolicyHeader: string = "AI-Cross-Origin-Resource-Policy"; +const CrossOriginResourcePolicyHeader: string = "X-Cross-Origin-Resource-Policy"; function _chkSampling(value: number) { return !isNaN(value) && value > 0 && value <= 100; @@ -268,12 +268,15 @@ export class Sender extends BaseTelemetryPlugin implements IChannelControls { if (config.storagePrefix){ utlSetStoragePrefix(config.storagePrefix); } - let ctx = createProcessTelemetryContext(null, config, core); // getExtCfg only finds undefined values from core let senderConfig = ctx.getExtCfg(identifier, defaultAppInsightsChannelConfig); if (senderConfig.corsPolicy){ - this.addHeader(CrossOriginResourcePolicyHeader, senderConfig.corsPolicy); + if (senderConfig.corsPolicy === "same-origin" || senderConfig.corsPolicy === "same-site" || senderConfig.corsPolicy === "cross-origin") { + this.addHeader(CrossOriginResourcePolicyHeader, senderConfig.corsPolicy); + } + } else { + delete _headers[CrossOriginResourcePolicyHeader]; } if(isPromiseLike(senderConfig.endpointUrl)) { // if it is promise, means the endpoint url is from core.endpointurl diff --git a/shared/AppInsightsCommon/src/Interfaces/IConfig.ts b/shared/AppInsightsCommon/src/Interfaces/IConfig.ts index 878911921..f4f292b77 100644 --- a/shared/AppInsightsCommon/src/Interfaces/IConfig.ts +++ b/shared/AppInsightsCommon/src/Interfaces/IConfig.ts @@ -389,6 +389,7 @@ export interface IConfig { * This URL takes precedence over the 'config.endpointUrl' and any endpoint in the connection string. */ userOverrideEndpointUrl?: string; + } export class ConfigurationManager { diff --git a/shared/AppInsightsCore/src/JavaScriptSDK/DataCacheHelper.ts b/shared/AppInsightsCore/src/JavaScriptSDK/DataCacheHelper.ts index d910e73b5..79f2e2bac 100644 --- a/shared/AppInsightsCore/src/JavaScriptSDK/DataCacheHelper.ts +++ b/shared/AppInsightsCore/src/JavaScriptSDK/DataCacheHelper.ts @@ -6,7 +6,7 @@ import { normalizeJsName } from "./HelperFuncs"; import { STR_EMPTY } from "./InternalConstants"; import { newId } from "./RandomHelper"; -const version = '3.3.3'; +const version = "#version#"; let instanceName = "." + newId(6); let _dataUid = 0; From 6e09f18f64de36863beb230689b2979b296f54db Mon Sep 17 00:00:00 2001 From: siyuniu-ms Date: Thu, 26 Sep 2024 18:55:09 -0700 Subject: [PATCH 6/7] Update Sender.tests.ts --- .../Tests/Unit/src/Sender.tests.ts | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/channels/applicationinsights-channel-js/Tests/Unit/src/Sender.tests.ts b/channels/applicationinsights-channel-js/Tests/Unit/src/Sender.tests.ts index d13ae8dea..69bc49de2 100644 --- a/channels/applicationinsights-channel-js/Tests/Unit/src/Sender.tests.ts +++ b/channels/applicationinsights-channel-js/Tests/Unit/src/Sender.tests.ts @@ -2764,6 +2764,18 @@ export class SenderTests extends AITestClass { QUnit.assert.ok(headers.hasOwnProperty('X-Cross-Origin-Resource-Policy')); QUnit.assert.equal(headers['X-Cross-Origin-Resource-Policy'], 'same-origin'); QUnit.assert.notOk(this._getXhrRequests()[1].requestHeaders.hasOwnProperty('testHeader')); + + // dynamic change to null + core.config.extensionConfig[this._sender.identifier].corsPolicy = null; + this.clock.tick(1); + try { + this._sender.processTelemetry(telemetryItem, null); + this._sender.flush(); + } catch(e) { + QUnit.assert.ok(false); + } + headers = this._getXhrRequests()[2].requestHeaders; + QUnit.assert.notOk(this._getXhrRequests()[2].requestHeaders.hasOwnProperty('X-Cross-Origin-Resource-Policy')); } }); From 49d9486bd968ad8ef9a76aaae97c1ec7efd6c1ab Mon Sep 17 00:00:00 2001 From: siyuniu-ms Date: Fri, 27 Sep 2024 16:49:10 -0700 Subject: [PATCH 7/7] local variable --- channels/applicationinsights-channel-js/src/Sender.ts | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/channels/applicationinsights-channel-js/src/Sender.ts b/channels/applicationinsights-channel-js/src/Sender.ts index 27da891d2..946febd5b 100644 --- a/channels/applicationinsights-channel-js/src/Sender.ts +++ b/channels/applicationinsights-channel-js/src/Sender.ts @@ -78,7 +78,7 @@ const defaultAppInsightsChannelConfig: IConfigDefaults = objDeepF alwaysUseXhrOverride: cfgDfBoolean(), transports: UNDEFINED_VALUE, retryCodes: UNDEFINED_VALUE, - crossOriginResourcePolicy: UNDEFINED_VALUE, + corsPolicy: UNDEFINED_VALUE, maxRetryCnt: {isVal: isNumber, v:10} }); @@ -271,9 +271,10 @@ export class Sender extends BaseTelemetryPlugin implements IChannelControls { let ctx = createProcessTelemetryContext(null, config, core); // getExtCfg only finds undefined values from core let senderConfig = ctx.getExtCfg(identifier, defaultAppInsightsChannelConfig); - if (senderConfig.corsPolicy){ - if (senderConfig.corsPolicy === "same-origin" || senderConfig.corsPolicy === "same-site" || senderConfig.corsPolicy === "cross-origin") { - this.addHeader(CrossOriginResourcePolicyHeader, senderConfig.corsPolicy); + let corsPolicy = senderConfig.corsPolicy; + if (corsPolicy){ + if (corsPolicy === "same-origin" || corsPolicy === "same-site" || corsPolicy === "cross-origin") { + this.addHeader(CrossOriginResourcePolicyHeader, corsPolicy); } } else { delete _headers[CrossOriginResourcePolicyHeader];