Access-Control-Allow-Origin missing from font assets


#1

When fetching a .woff2 file thru Cloudflare, the Access-Control headers are missing.

The headers exist when not going thru Cloudflare, and when fetching a .js file thru Cloudflare.

I tried purging the .woff2 file using the Cloudflare UI, but the headers are still missing after I waited 5 minutes for the purge to take effect.

The first command below does not go thru Cloudflare, and you can see the Access-Control headers exist as desired.

The second command uses a Cloudflare domain, and you can see the Access-Control headers missing. Both commands are fetching the same resource.

How can I avoid this problem? Thanks.

$ curl -s -H "Origin: https://domain.tld" -D - -o /dev/null https://storage.googleapis.com/assets.domain.tld/didonesque-roman.woff2

HTTP/1.1 200 OK
X-GUploader-UploadID: AEnB2UoWOSRUd9fcMbVZQXf8HMYtAqyhn-yreOxYpzCeSyiMPWhLC7J1amRedFC6wrXv9XdMfUScyFLZmqZeawI3wEChC4Gxeg
Expires: Fri, 06 Oct 2017 22:38:54 GMT
Date: Fri, 06 Oct 2017 21:38:54 GMT
Cache-Control: public, max-age=3600
Last-Modified: Fri, 06 Oct 2017 00:38:01 GMT
ETag: "1ce1356d6c90d68eeb3113dfafd8dc07"
x-goog-generation: 1507250281728588
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 37720
Content-Type: application/font-woff2
x-goog-hash: crc32c=44lsag==
x-goog-hash: md5=HOE1bWyQ1o7rMRPfr9jcBw==
x-goog-storage-class: MULTI_REGIONAL
Accept-Ranges: bytes
Content-Length: 37720
Access-Control-Allow-Origin: https://domain.tld
Access-Control-Expose-Headers: Content-Length, Content-Type, Date, Server, Transfer-Encoding, X-GUploader-UploadID, X-Google-GFE-Backend-Request-Cost, X-Google-GFE-Cloud-Project-Number, X-Google-GFE-Load-Report, X-Google-Trace
Vary: Origin
Server: UploadServer
Alt-Svc: quic=":443"; ma=2592000; v="39,38,37,35"

$ curl -s -H "Origin: https://domain.tld" -D - -o /dev/null https://assets.domain.tld/didonesque-roman.woff2

HTTP/1.1 200 OK
Date: Fri, 06 Oct 2017 21:53:23 GMT
Content-Type: application/octet-stream
Content-Length: 37720
Connection: keep-alive
Set-Cookie: __cfduid=df4d1bc2c9af1519f116571a1141fe7cd1507326803; expires=Sat, 06-Oct-18 21:53:23 GMT; path=/; domain=.domain.tld; HttpOnly; Secure
X-GUploader-UploadID: AEnB2UpPbzZ9-0BvEkYbFAsBMiEjilOYW1fTNvRESaPHZEojwscWMJliJDs6CmJindUkMb4LWS0gJ-jWZb-LDm6T2avCC02cj9Bgl6vZGp5w_tdPFw4spPQ
Expires: Sat, 07 Oct 2017 01:53:23 GMT
Last-Modified: Sun, 01 Oct 2017 16:58:20 GMT
ETag: "1ce1356d6c90d68eeb3113dfafd8dc07"
x-goog-generation: 1506877100186737
x-goog-metageneration: 2
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 37720
x-goog-hash: crc32c=44lsag==
x-goog-hash: md5=HOE1bWyQ1o7rMRPfr9jcBw==
x-goog-storage-class: MULTI_REGIONAL
Cache-Control: public, max-age=14400
CF-Cache-Status: HIT
Accept-Ranges: bytes
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare-nginx
CF-RAY: 3a9bda6adb1f52ea-MIA

#2

I have the same issue as above when hitting just a simple API route. For me not only are the access-control headers coming back but in the request origin is not being passed through properly


#3

Cloudflare Support pointed me to this article.

Apparently you can’t purge an individual file and expect the CORS headers to be reset.