Skip to content

Browser CORS Blocking Font/Image Loading Fix

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about Browser CORS Blocking Font/Image Loading Fix. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that restricts web pages from requesting resources from a different origin. When fonts or images are hosted on a different domain, the server must include the correct CORS headers.

The Wrong Way

<!-- Loading a font from a CDN without CORS -->
<link href="https://fonts.cdn.com/custom-font.woff2" rel="stylesheet">

Output in browser console:

Access to font at 'https://fonts.cdn.com/custom-font.woff2'
from origin 'https://myapp.com' has been blocked by CORS policy:
No 'Access-Control-Allow-Origin' header is present on the requested resource.

The Right Way

Ensure the resource server includes CORS headers:

# Nginx configuration for the CDN or resource server
location ~* \.(woff|woff2|eot|ttf|otf)$ {
    add_header Access-Control-Allow-Origin "https://myapp.com";
    add_header Access-Control-Allow-Methods "GET, OPTIONS";
    add_header Access-Control-Allow-Headers "Origin";
}
# Python Flask server for resources
from flask import Flask, send_file

app = Flask(__name__)

@app.after_request
def add_cors_headers(response):
    response.headers["Access-Control-Allow-Origin"] = "https://myapp.com"
    response.headers["Access-Control-Allow-Methods"] = "GET, OPTIONS"
    return response

@app.route("/fonts/<path:filename>")
def serve_font(filename):
    return send_file(f"fonts/{filename}")

Step-by-Step Fix

1. Check current CORS headers

fetch("https://cdn.example.com/font.woff2", {method: "HEAD"})
    .then(response => {
        const cors = response.headers.get("Access-Control-Allow-Origin");
        console.log("CORS header:", cors);
    });

2. Add CORS headers at the origin server

# Using Flask-CORS
from flask_cors import CORS

app = Flask(__name__)
CORS(app, origins=["https://myapp.com"])

3. Use crossorigin attribute on HTML elements

<img src="https://cdn.example.com/image.jpg" crossorigin="anonymous">
<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Roboto" crossorigin="anonymous">

4. Proxy resources through your own server

location /proxy-fonts/ {
    proxy_pass https://fonts.cdn.com/;
    proxy_set_header Host fonts.cdn.com;
    add_header Access-Control-Allow-Origin "https://myapp.com";
}

5. Use data URIs for small resources

<!-- Convert small images to base64 data URIs -->
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA..." alt="icon">

Prevention Tips

  • Add Access-Control-Allow-Origin: * to all public static resource servers.
  • Use the crossorigin="anonymous" attribute on <link> and <img> tags loading cross-origin resources.
  • Validate CORS headers with curl: curl -I -H "Origin: https://myapp.com" https://cdn.example.com/font.woff2.
  • Self-host critical fonts and images to avoid CORS entirely.
  • Use a CDN that supports custom CORS headers.

Common Mistakes with cors blocked

  1. Misunderstanding that String is [Char] with poor performance for large text operations
  2. Using foldl instead of foldl' causing stack overflow on large lists
  3. Forgetting deriving (Show, Eq) on custom data types needed for debugging

These mistakes appear frequently in real-world BROWSER code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### What is CORS?

CORS (Cross-Origin Resource Sharing) is a browser security feature that controls how web pages request resources from a different origin (domain, protocol, or port). The server must explicitly allow cross-origin requests.

Why do fonts need CORS but images sometimes do not?

Fonts loaded via CSS @font-face are always subject to CORS because the CSS origin differs from the font origin. Images loaded via <img> tags have always been allowed cross-origin, but CORS is required when using canvas operations.

Can I disable CORS in my browser?

You can disable CORS in development by launching the browser with --disable-web-security, but this should never be used in production. Fix the server-side CORS configuration instead.

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro