send Cross-Origin-Resource-Policy header on all responses (#10420)

* send Cross-Origin-Resource-Policy header on all responses

* don't re-add Access-Control-Allow-Origin on json responses

this is re-adding a header we've already set earlier in the process

* update tests