diff --git a/server.js b/server.js
index 36ca1a425..0b28b2de6 100644
--- a/server.js
+++ b/server.js
@@ -106,7 +106,6 @@ var setHeaders = (function () {
         return function (req, res) {
             // apply a bunch of cross-origin headers for XLSX export in FF and printing elsewhere
             applyHeaderMap(res, {
-                "Cross-Origin-Resource-Policy": 'cross-origin',
                 "Cross-Origin-Opener-Policy": /^\/sheet\//.test(req.url)? 'same-origin': '',
                 "Cross-Origin-Embedder-Policy": 'require-corp',
             });
@@ -114,6 +113,10 @@ var setHeaders = (function () {
             // Don't set CSP headers on /api/config because they aren't necessary and they cause problems
             // when duplicated by NGINX in production environments
             if (/^\/api\/(broadcast|config)/.test(req.url)) { return; }
+            applyHeaderMap(res, {
+                "Cross-Origin-Resource-Policy": 'cross-origin',
+            });
+
             // targeted CSP, generic policies, maybe custom headers
             const h = [
                     /^\/common\/onlyoffice\/.*\/index\.html.*/,