A customer has Sisense embedded in our web application as an iframe, and we are having some issues related to Cross-Origin Resource Policy. We know that Sisense has CORS settings, but we have not found anything related to Cross-Origin Resource Policy (CORP) headers, like cross-origin-embedder-policy or cross-origin-resource-policy setup.
The customer would like the same configurations and settings at their disposal
CORP vs CORS
Security reasons and compliance. Third party assessments every year and the lacking of CORP headers was one of the outputs. Actually from what I understood CORP/CORS aims to solve different issues, so we actually should use both.
Also CORP currently has some default (more permissive) values considered by browsers that could change in the future as well. In this case even if the web applications does not set the headers, browser could refuse cross-origin i-frames by default.
