[main] support adding cross origin resource policy for #1851

channels/applicationinsights-channel-js/Tests/Unit/src/Sender.tests.ts

@@ -2708,6 +2708,67 @@
             }
         });
 
+        this.testCase({
+            name: 'Users could set the cross-origin header via request',
+            useFakeTimers: true,
+            test: () => {
+                let core = new AppInsightsCore();
+                let id = this._sender.identifier;
+                let coreConfig = {
+                    instrumentationKey: 'abc',
+                    crossOriginResourcePolicy: "cross-origin",
+                    isBeaconApiDisabled: true,
+                    customHeaders: [
+                        {
+                            header: 'testHeader',
+                            value: 'testValue'
+                        }
+                    ]
+                }
+                core.initialize(coreConfig, [this._sender]);
+
+                let sendBeaconCalled = false;
+                this.hookSendBeacon((url: string) => {
+                    sendBeaconCalled = true;
+                    return true;
+                });
+
+                const telemetryItem: ITelemetryItem = {
+                    name: 'fake item',
+                    iKey: 'iKey',
+                    baseType: 'some type',
+                    baseData: {}
+                };
+
+                try {
+                    this._sender.processTelemetry(telemetryItem, null);
+                    this._sender.flush();
+                } catch(e) {
+                    QUnit.assert.ok(false);
+                }
+
+                QUnit.assert.equal(1, this._getXhrRequests().length, "xhr sender is called");
+                let headers = this._getXhrRequests()[0].requestHeaders;
+                QUnit.assert.equal(headers['AI-Cross-Origin-Resource-Policy'], 'cross-origin');
+                QUnit.assert.ok(headers.hasOwnProperty('AI-Cross-Origin-Resource-Policy'));  
+                QUnit.assert.notOk(this._getXhrRequests()[0].requestHeaders.hasOwnProperty('testHeader'));
+
+                // dynamic change
+                core.config.crossOriginResourcePolicy = "same-origin";
+                this.clock.tick(1);
+                try {
+                    this._sender.processTelemetry(telemetryItem, null);
+                    this._sender.flush();
+                } catch(e) {
+                    QUnit.assert.ok(false);
+                }
+                headers = this._getXhrRequests()[1].requestHeaders;                
+                QUnit.assert.ok(headers.hasOwnProperty('AI-Cross-Origin-Resource-Policy'));  
+                QUnit.assert.equal(headers['AI-Cross-Origin-Resource-Policy'], 'same-origin');
+                QUnit.assert.notOk(this._getXhrRequests()[1].requestHeaders.hasOwnProperty('testHeader'));
+            }
+        });
+
         this.testCase({
             name: 'Users are allowed to add customHeaders when endpointUrl is not Breeze.',
             test: () => {

channels/applicationinsights-channel-js/src/Interfaces.ts

@@ -166,6 +166,20 @@ export interface ISenderConfig {
      * @since 3.2.0
      */
     maxRetryCnt?: number;
+
+    /**
+     * [Optional] Specifies the Cross-Origin Resource Policy (CORP) for the endpoint.
+     * This value is included in the response header as `Cross-Origin-Resource-Policy`,
+     * which helps control how resources can be shared across different origins.
+     *
+     * Possible values:
+     * - `same-site`: Allows access only from the same site.
+     * - `same-origin`: Allows access only from the same origin (protocol, host, and port).
+     * - `cross-origin`: Allows access from any origin.
+     *
+     * @since 3.3.3
+     */
+    crossOriginResourcePolicy?: string;
 }
 
 export interface IBackendResponse {

channels/applicationinsights-channel-js/src/Sender.ts

@@ -78,9 +78,12 @@ const defaultAppInsightsChannelConfig: IConfigDefaults<ISenderConfig> = objDeepF
     alwaysUseXhrOverride: cfgDfBoolean(),
     transports: UNDEFINED_VALUE,
     retryCodes: UNDEFINED_VALUE,
+    crossOriginResourcePolicy: UNDEFINED_VALUE,
     maxRetryCnt: {isVal: isNumber, v:10}
 });
 
+const CrossOriginResourcePolicyHeader: string = "AI-Cross-Origin-Resource-Policy";
+
 function _chkSampling(value: number) {
     return !isNaN(value) && value > 0 && value <= 100;
 }
@@ -265,6 +268,9 @@ export class Sender extends BaseTelemetryPlugin implements IChannelControls {
                     if (config.storagePrefix){
                         utlSetStoragePrefix(config.storagePrefix);
                     }
+                    if (config.crossOriginResourcePolicy){
+                        this.addHeader(CrossOriginResourcePolicyHeader, config.crossOriginResourcePolicy);
+                    }
                     let ctx = createProcessTelemetryContext(null, config, core);
                     // getExtCfg only finds undefined values from core
                     let senderConfig = ctx.getExtCfg(identifier, defaultAppInsightsChannelConfig);

shared/AppInsightsCommon/src/Interfaces/IConfig.ts

@@ -390,6 +390,19 @@ export interface IConfig {
      */
     userOverrideEndpointUrl?: string;
 
+    /**
+     * [Optional] Specifies the Cross-Origin Resource Policy (CORP) for the endpoint.
+     * This value is included in the response header as `Cross-Origin-Resource-Policy`,
+     * which helps control how resources can be shared across different origins.
+     *
+     * Possible values:
+     * - `same-site`: Allows access only from the same site.
+     * - `same-origin`: Allows access only from the same origin (protocol, host, and port).
+     * - `cross-origin`: Allows access from any origin.
+     *
+     * @since 3.3.3
+     */
+    crossOriginResourcePolicy?: string;
 }
 
 export class ConfigurationManager {