diff --git a/core/base-service/legacy-result-sender.js b/core/base-service/legacy-result-sender.js
index f3a3d126928c970a7051b338eccd60eb960f6832..ba0629130b29ebabf21d06e9c77727bce11e2ddf 100644
--- a/core/base-service/legacy-result-sender.js
+++ b/core/base-service/legacy-result-sender.js
@@ -17,7 +17,6 @@ function sendSVG(res, askres, end) {
 
 function sendJSON(res, askres, end) {
   askres.setHeader('Content-Type', 'application/json')
-  askres.setHeader('Access-Control-Allow-Origin', '*')
   askres.setHeader('Content-Length', Buffer.byteLength(res, 'utf8'))
   end(null, { template: streamFromString(res) })
 }
diff --git a/core/server/server.js b/core/server/server.js
index 65c8a52f7502597d0aa07e29a26ec69314735914..f5621d94112578335cec1a12e3a562bc50e425df 100644
--- a/core/server/server.js
+++ b/core/server/server.js
@@ -541,9 +541,12 @@ class Server {
       }
     }
 
-    // https://github.com/badges/shields/issues/3273
     camp.handle((req, res, next) => {
+      // https://github.com/badges/shields/issues/3273
       res.setHeader('Access-Control-Allow-Origin', '*')
+      // https://github.com/badges/shields/issues/10419
+      res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin')
+
       next()
     })
 
diff --git a/core/server/server.spec.js b/core/server/server.spec.js
index 741b2e92dad0ab829c3fab644152670df8482519..5c014b820dd52671db500f57c7da7a0cdb5cbabc 100644
--- a/core/server/server.spec.js
+++ b/core/server/server.spec.js
@@ -79,6 +79,7 @@ describe('The server', function () {
       )
       expect(statusCode).to.equal(200)
       expect(headers['access-control-allow-origin']).to.equal('*')
+      expect(headers['cross-origin-resource-policy']).to.equal('cross-origin')
     })
 
     it('should redirect colorscheme PNG badges as configured', async function () {
@@ -133,6 +134,7 @@ describe('The server', function () {
       expect(statusCode).to.equal(200)
       expect(headers['content-type']).to.equal('application/json')
       expect(headers['access-control-allow-origin']).to.equal('*')
+      expect(headers['cross-origin-resource-policy']).to.equal('cross-origin')
       expect(headers['content-length']).to.equal('92')
       expect(() => JSON.parse(body)).not.to.throw()
     })