refine the header fixes for chrome to avoid breaking standalone instances

server.js

@@ -43,6 +43,7 @@ var canonicalizeOrigin = function (s) {
     }
 
     if (typeof(config.httpSafeOrigin) !== 'string') {
+        Env.NO_SANDBOX = true;
         if (typeof(config.httpSafePort) !== 'number') {
             config.httpSafePort = config.httpPort + 1;
         }
@@ -112,7 +113,14 @@ var setHeaders = (function () {
 
             // Don't set CSP headers on /api/config because they aren't necessary and they cause problems
             // when duplicated by NGINX in production environments
-            if (/^\/api\/(broadcast|config)/.test(req.url)) { return; }
+            if (/^\/api\/(broadcast|config)/.test(req.url)) {
+                if (!Env.NO_SANDBOX) {
+                    applyHeaderMap(res, {
+                        "Cross-Origin-Resource-Policy": 'cross-origin',
+                    });
+                }
+                return;
+            }
             applyHeaderMap(res, {
                 "Cross-Origin-Resource-Policy": 'cross-origin',
             });