There is a http header called Access-Control-Allow-Origin, which is exactly what we use here. So, anywhere in our code we can set this header to allow resource sharing. We could either allow this for every domain (with a
*) or for a specific address, i.e.
But what if we want to add this header for static resources on the file system, without going through the ASP.net pipeline? Of course we can configure this in the
<system.webServer> <httpProtocol> <customHeaders> <add name="Access-Control-Allow-Origin" value="*" /> </customHeaders> </httpProtocol> </system.webServer>
This adds the header for all requests. But as i mentioned in the beginning, we only want to set this on fonts. All our fonts are located under the directory
/assets/fonts, so we could simple put this configuration into a
<location path="assets/fonts"> <system.webServer> <httpProtocol> <customHeaders> <add name="Access-Control-Allow-Origin" value="*" /> </customHeaders> </httpProtocol> </system.webServer> </location>
If possible, you should always consider adding only the domain really needed. CORS is a security feature, and allowing every origin on a specific resource does not make the usage of your resource more secure.