Access-Control-Allow-Origin missing from font assets


When fetching a .woff2 file thru Cloudflare, the Access-Control headers are missing.

The headers exist when not going thru Cloudflare, and when fetching a .js file thru Cloudflare.

I tried purging the .woff2 file using the Cloudflare UI, but the headers are still missing after I waited 5 minutes for the purge to take effect.

The first command below does not go thru Cloudflare, and you can see the Access-Control headers exist as desired.

The second command uses a Cloudflare domain, and you can see the Access-Control headers missing. Both commands are fetching the same resource.

How can I avoid this problem? Thanks.

$ curl -s -H "Origin: https://domain.tld" -D - -o /dev/null

HTTP/1.1 200 OK
X-GUploader-UploadID: AEnB2UoWOSRUd9fcMbVZQXf8HMYtAqyhn-yreOxYpzCeSyiMPWhLC7J1amRedFC6wrXv9XdMfUScyFLZmqZeawI3wEChC4Gxeg
Expires: Fri, 06 Oct 2017 22:38:54 GMT
Date: Fri, 06 Oct 2017 21:38:54 GMT
Cache-Control: public, max-age=3600
Last-Modified: Fri, 06 Oct 2017 00:38:01 GMT
ETag: "1ce1356d6c90d68eeb3113dfafd8dc07"
x-goog-generation: 1507250281728588
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 37720
Content-Type: application/font-woff2
x-goog-hash: crc32c=44lsag==
x-goog-hash: md5=HOE1bWyQ1o7rMRPfr9jcBw==
x-goog-storage-class: MULTI_REGIONAL
Accept-Ranges: bytes
Content-Length: 37720
Access-Control-Allow-Origin: https://domain.tld
Access-Control-Expose-Headers: Content-Length, Content-Type, Date, Server, Transfer-Encoding, X-GUploader-UploadID, X-Google-GFE-Backend-Request-Cost, X-Google-GFE-Cloud-Project-Number, X-Google-GFE-Load-Report, X-Google-Trace
Vary: Origin
Server: UploadServer
Alt-Svc: quic=":443"; ma=2592000; v="39,38,37,35"

$ curl -s -H "Origin: https://domain.tld" -D - -o /dev/null https://assets.domain.tld/didonesque-roman.woff2

HTTP/1.1 200 OK
Date: Fri, 06 Oct 2017 21:53:23 GMT
Content-Type: application/octet-stream
Content-Length: 37720
Connection: keep-alive
Set-Cookie: __cfduid=df4d1bc2c9af1519f116571a1141fe7cd1507326803; expires=Sat, 06-Oct-18 21:53:23 GMT; path=/; domain=.domain.tld; HttpOnly; Secure
X-GUploader-UploadID: AEnB2UpPbzZ9-0BvEkYbFAsBMiEjilOYW1fTNvRESaPHZEojwscWMJliJDs6CmJindUkMb4LWS0gJ-jWZb-LDm6T2avCC02cj9Bgl6vZGp5w_tdPFw4spPQ
Expires: Sat, 07 Oct 2017 01:53:23 GMT
Last-Modified: Sun, 01 Oct 2017 16:58:20 GMT
ETag: "1ce1356d6c90d68eeb3113dfafd8dc07"
x-goog-generation: 1506877100186737
x-goog-metageneration: 2
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 37720
x-goog-hash: crc32c=44lsag==
x-goog-hash: md5=HOE1bWyQ1o7rMRPfr9jcBw==
x-goog-storage-class: MULTI_REGIONAL
Cache-Control: public, max-age=14400
CF-Cache-Status: HIT
Accept-Ranges: bytes
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare-nginx
CF-RAY: 3a9bda6adb1f52ea-MIA


I have the same issue as above when hitting just a simple API route. For me not only are the access-control headers coming back but in the request origin is not being passed through properly


Cloudflare Support pointed me to this article.

Apparently you can’t purge an individual file and expect the CORS headers to be reset.