I get the error:
Font from origin 'http://livehealthyme.com' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://www.livehealthyme.com' is therefore not allowed access. www.livehealthyme.com/:1
I think it is because I am using Ninja Firewall on my site. Is there a way to allow my fonts and still have my firewall up?
Related
I have a web-site with images stored on my own server. Some other web-sites use links to these images on their pages, so the server have to handle extra traffic. Can I forbid loading images and other media for external sites with Nginx config? Maybe CORS settings could help me? Thanks!
CORS cannot help you there, because CORS doesn't apply to image tags that lack a crossorigin attribute. You have two options:
a cross-origin resource policy, or
a resource isolation policy.
Cross-origin resource policy
You can specify a cross-origin resource policy (CORP) in the response to requests to your resources. For instance, if you specify the following response header,
Cross-Origin-Resource-Policy: same-site
browsers that support CORP will prevent cross-site origins from embedding your resources in their pages.
Two caveats:
A CORP won't allow you to save any bandwidth, because all browsers (whether or not they support CORP) will download the whole resource first before deciding whether a page can load it.
The Cross-Origin-Resource-Policy response header won't have any effect in browsers that don't support CORP; users of those browsers will be able to load your resources regardless of the page's origin.
Resource Isolation Policy
Alternatively, you can implement some resource isolation policy on the server side via Fetch Metadata request headers:
A Resource Isolation Policy prevents your resources from being requested by external websites.
Be aware that only modern versions of Chromium-based browsers and (more recently) Firefox currently send those request headers; Safari notably does not.
However, implementing such a resource isolation policy may be enough to dissuade third parties from embedding your images on their websites, as a large proportion of their visitors won't be able to load your content.
I am working on a wordpress website and I have installed mautic plugin into the website. Now issue is that I am getting the following error in the console. Cloud flare is also enabled.
Access to XMLHttpRequest at 'https://mautic.my-domain.com/mtc/event' from origin 'https://www.my-domain.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I have tried different solutions for the issue but never get rid of this error.
I have tried by removing the trailing slash (/) from the domain name.
I have also used the " Header set Access-Control-Allow-Credentials: true Header set Access-Control-Allow-Origin 'https://www.my-domain.com' "
I have read many threads here at stack overflow, github and mautic forum but Still looking for the solution. Please help in this regard and thank you in advance
In Mautic
Configurations > System Settings > CORS Settings
either set it to NO in order to not restrict domains,
or set it to YES and Add domain you want to allow.
I believe it was yesterday when my website's custom fonts ceased to function. Now, the fonts are only shown on Safari, while Chrome and Firefox throw access control allow origin errors to their respective consoles.
Chrome Error:
Access to font at 'https://blockheaddevdevdev--grify.repl.co/styles/font/wide.ttf' from origin 'https://blockheaddevdevdev.grify.repl.co' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Firefox Error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://blockheaddevdevdev--grify.repl.co/styles/font/wide.ttf. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).[Learn More]
Here is the font I am using
Here is the CSS that applies the fonts to the page
Here is the page that should run these custom fonts
you are importing your style.css from this domain:
https://blockheaddevdevdev--grify.repl.co
<link href="https://blockheaddevdevdev--grify.repl.co/styles/style.css" rel="stylesheet" type="text/css">
and not: https://blockheaddevdevdev.grify.repl.co
Thats why you get an Cross-Origin Error.
If you fix the Link tag you shouldnt get that error.
I replaced the my url http://127.0.0.1/sitename/ into http://localhost/sitename/ and it worked
I have a server and a domain B pointing to it. Recently I bought a new domain A and did a redirection to B. I removed A because this error started appearing when loading fonts.
Redirect from 'A' has been blocked by CORS policy:
No 'Access-Control-Allow-Origin' header is present
on the requested resource. Origin 'B' is therefore not allowed access.
I understand that server where A is pointing must be configured to have 'Access-Control-Allow-Origin' origin but domain A only was a redirection which I did on my hosting so there is no server that I have access to, to do this. I have already removed server A to redirect to B.
How is this solved?
Edit:
Both domains were bought from godaddy, server is hosted in aws and I have already modified the .htaccess to set the geaders accordingly but no luck.
Add following code to .htaccess of Origin B if you have control over origin B
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
You can also edit that code according to your need.
I put font references to sub domain and I using that like this:
<link href="https://cdn.example.com/Styles/font-awesome.min.css" rel="stylesheet" />
Font from origin 'https://cdn.example.com' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://example.com' is therefore not allowed access.
I found a solution but it doesn't help me, I think the reason is I use https instead of http.
Serving contain to sub domains from an MVC / IIS web application