Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cross-Origin Resource Sharing policy Font

I am using W3 Total Cache with Amazon cloudfront. I have in my htaccess file:

# BEGIN W3TC CDN
<FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css)$">
<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"
</IfModule>
</FilesMatch>
# END W3TC CDN 

But still getting error:

Font from origin 'https://example.cloudfront.net' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.example.com' is therefore not allowed access.

Why is this happening?

like image 909
JoaMika Avatar asked Aug 31 '16 10:08

JoaMika


People also ask

How do I fix my cross-origin policy?

Use a Serverless Function. A more commonly used solution to resolve CORS error is to use a serverless function. It is an alternate way to proxy your requests, but instead of relying on a free third-party service, you can build your micro-infrastructure to call a web service and feed data to an API endpoint.

What is CORS Cross-Origin Resource Sharing policy?

Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. With CORS support, you can build rich client-side web applications with Amazon S3 and selectively allow cross-origin access to your Amazon S3 resources.

What is considered cross-origin CORS?

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.

How do I fix CORS error in HTML?

to fix the error, you need to enable CORS on the server. The client expects to see CORS headers sent back in order to allow the request. It might even send a preflight request to make sure that the headers are there. You can enable CORS server side for one, multiple, or all domains hitting your server.


2 Answers

Found the solution in this link: https://www.naschenweng.info/2014/09/23/wordpress-w3-total-cache-cloudfront-font-cors-issue/.

You need to change the CloudFront distribution's behaviors settings:

  • Change “Forward Headers” from “None” to “Whitelist”
  • Add “Origin” to the “Whitelist Headers”
  • Make sure that “Use Origin Cache Headers” is checked

Then invalidate the cached fonts.

like image 196
Yao Avatar answered Oct 26 '22 02:10

Yao


Wrestling with this for days, and think I finally fixed it. Here are some things to check:

  • The webserver config should add the proper header. Apache syntax is listed in the question. Here's Nginx syntax that I used:

location ~* \.(eot|ttf|woff|woff2)$ { add_header Access-Control-Allow-Origin '*'; }

  • Within W3TC > Performance > CDN > Custom File List, I added the following to upload the actual font files:

{plugins_dir}/*.ttf {plugins_dir}/*.woff

  • While you're there, set the Theme file types to upload to the following. Per @Yao's link, the default separators are inconsistent (should all be semicolons, not commas)

*.css;*.js;*.gif;*.png;*.jpg;*.ico;*.ttf;*.otf;*.woff;*.less

  • In S3 > Permissions > CORS Configuration, change the default

<AllowedHeader>Authorization</AllowedHeader> to: <AllowedHeader>*</AllowedHeader> You should start seeing the necessary Access-Control-Allow-Origin header in the response.

  • In CloudFront > Distribution > Behaviors, make the following changes:

    1. Change Allowed HTTP Methods to GET, HEAD, OPTIONS (you need OPTIONS)
    2. Change Forward Headers to Whitelist
    3. Under Whitelist Headers, Add >> Origin
  • To test:

curl -I -s -X GET -H "Origin: www.example.com" https://abcdefg543210.cloudfront.net/wp-content/path/to/foo.ttf

This should give you back the following header:

Access-Control-Allow-Origin: * X-Cache: Miss from cloudfront

I found this blog post to be pretty helpful: http://blog.celingest.com/en/2014/10/02/tutorial-using-cors-with-cloudfront-and-s3/

like image 44
Robert Chen Avatar answered Oct 26 '22 04:10

Robert Chen