R2 not adding CORS header when allowed Origin is present in the request

For Workes & Pages, what is the name of the domain?

What is the error message?

Access to font at ‘https://static.barbinirocco.com/fonts/Hack-Bold.ttf’ from origin ‘https://www.barbinirocco.com’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

What is the issue or error you’re encountering

I’m using an R2 public bucket with a custom domain to deliver static assets for my blog (different subdomains under the same domain). The CORS policy in the bucket explicitly allows the subdomain used for the blog, which is delivered using Cloudflare Pages and includes the Origin header in the request, but R2 doesn’t add the CORS header and the request fails in the browser.

What steps have you taken to resolve the issue?

I know I can solve the issue with a transform rule, but lacking a reference to the Origin header, I’m stuck with checking the Referer. Moreover, it only works if I reac to allowed requests with the * setting in the response, which i dislike.

What are the steps to reproduce the issue?

Visit my blog (www.barbinirocco.com) and look at the network call. The ttf font file should fail due to missing Access-Control-Allow-Origin headers, even though the Origin header is present in the request and allowed by the bucket.

Current CORS policy for the bucket:

[
  {
    "AllowedOrigins": [
      "http://localhost:1313",
      "https://barbinirocco.com",
      "https://www.barbinirocco.com"
    ],
    "AllowedMethods": [
      "GET"
    ]
  }
]

Everything from your static bucket is loading for me in Firefox and Brave. The headers look to be in order:

1 Like

Weird, I tried with multiple browsers and I consistently get the same error (pictured in firefox here):

I also tried connecting via a VPN to exclude an issue with my router configuration, and I tried on my mobile device disabling wifi for the same reason (it’s clearly not loading the fonts there).

Also with curl:

Also works for me.

image

Can you try clearing Cloudflare cache?

On another note, careful with the -H option on curl. Better use -o /dev/null to suppress the output. HEAD requests are best effort and can actually have different headers, though it’s not the problem here.

1 Like

Thanks, that solved it.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.