For Workes & Pages, what is the name of the domain?
What is the error message?
Access to font at ‘https://static.barbinirocco.com/fonts/Hack-Bold.ttf’ from origin ‘https://www.barbinirocco.com’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
What is the issue or error you’re encountering
I’m using an R2 public bucket with a custom domain to deliver static assets for my blog (different subdomains under the same domain). The CORS policy in the bucket explicitly allows the subdomain used for the blog, which is delivered using Cloudflare Pages and includes the Origin header in the request, but R2 doesn’t add the CORS header and the request fails in the browser.
What steps have you taken to resolve the issue?
I know I can solve the issue with a transform rule, but lacking a reference to the Origin header, I’m stuck with checking the Referer. Moreover, it only works if I reac to allowed requests with the * setting in the response, which i dislike.
What are the steps to reproduce the issue?
Visit my blog (www.barbinirocco.com) and look at the network call. The ttf font file should fail due to missing Access-Control-Allow-Origin headers, even though the Origin header is present in the request and allowed by the bucket.