Update security header

Author: soruly

next.config.mjs

@@ -19,9 +19,9 @@ export default (phase) =>
                   key: "Access-Control-Allow-Headers",
                   value: "Content-Type, x-trace-secret",
                 },
+                { key: "Cross-Origin-Resource-Policy", value: "cross-origin" },
                 { key: "Referrer-Policy", value: "no-referrer" },
                 { key: "X-Content-Type-Options", value: "nosniff" },
-                { key: "X-XSS-Protection", value: "1; mode=block" },
                 {
                   key: "Content-Security-Policy",
                   value: [

public/_headers

@@ -3,6 +3,6 @@
   Access-Control-Allow-Methods: GET, POST, PUT, OPTIONS
   Access-Control-Allow-Headers: Content-Type, x-trace-secret
   Referrer-Policy: no-referrer
+  Cross-Origin-Resource-Policy: cross-origin
   X-Content-Type-Options: nosniff
-  X-XSS-Protection: 1; mode=block
   Content-Security-Policy: default-src 'none'; script-src 'self' static.cloudflareinsights.com; style-src * 'self' 'unsafe-inline'; img-src * 'self' data: blob: https://api.trace.moe; font-src 'self'; media-src blob: 'self' https://api.trace.moe; worker-src 'self'; form-action 'self'; base-uri 'none'; frame-ancestors 'none'; manifest-src 'self'; block-all-mixed-content; connect-src blob: 'self' https://cloudflareinsights.com https://api.trace.moe https://graphql.anilist.co