diff --git a/src/snek/system/middleware.py b/src/snek/system/middleware.py
index 993051a..449f4d9 100644
--- a/src/snek/system/middleware.py
+++ b/src/snek/system/middleware.py
@@ -69,4 +69,9 @@ async def cors_middleware(request, handler):
     response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, DELETE, OPTIONS"
     response.headers["Access-Control-Allow-Headers"] = "*"
     response.headers["Access-Control-Allow-Credentials"] = "true"
+    response.headers["Cross-Origin-Opener-Policy"] = "same-origin"
+    # Uncomment ONE of the following two lines, as needed:
+    # response.headers["Cross-Origin-Embedder-Policy"] = "require-corp"
+    response.headers["Cross-Origin-Embedder-Policy"] = "credentialless"
+ 
     return response