Cross-Origin-Embedder-Policy support

[Sora2455]

Is your feature request related to a problem? Please describe.
When trying to set the Cross-Origin-Embedder-Policy header to "require-corp" on my site, requests to application insights (in particular https://australiaeast-0.in.applicationinsights.azure.com//v2/track) are blocked, as they do not have a Cross-Origin-Resource-Policy header.

Describe the solution you'd like
The application insights endpoints to serve a Cross-Origin-Resource-Policy header of the value "cross-origin".

Describe alternatives you've considered
If this was an image or script request, I could add the crossOrigin attribute to the or <script> tag to get around this problem. However, this is a fetch/XHR request, and one that requires cookies if I understand correctly.

Additional context
Cross-Origin-Embedder-Policy is needed to enable the security feature cross-site isolation.

[Karlie-777]

Related: #1399

[Sora2455]

Any chance this could be looked at anytime soon? I appreciate the team behind the JS library may not have any involvement with the team controlling the report servers, but in that case is there a better place I should be making this request?

[Karlie-777]

Hi @Sora2455,
If your are using a customized endpoint, config customerHeaders should be able to add extra headers.
And another way of doing it is to provide a xhroverride in sender config where you can control sending methods including headers as well.

[Sora2455]

Hi @Karlie-777

If I've understood correctly, those config options set headers on the request - but I need them set on the response.

[Karlie-777]

@Sora2455 Correct, they are for request headers. For response headers, we've created a task internally, let me get back to you as soon as we have updates!

[siyuniu-ms]

@Sora2455 The new change will be available in our next version release (3.3.7) which will be out before end of this month.