As we have control over CORS configuration of the served CDN resources allow to configure the 'Cross-Origin-Resource-Policy' to allow loading the resource when app is in isolated mode ('Cross-Origin-Embedder-Policy' set to 'require-corp') as this is needed if you want to use advanced features as SharedArrayBuffers and have a secure web.