Skip to content

Browser Font Blocked by CORS Fix

DodaTech Updated 2026-06-24 3 min read

In this tutorial, you'll learn about Browser Font Blocked by CORS Fix. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Web fonts loaded from a different origin (CDN, font service, or subdomain) require CORS headers. Without them, the browser blocks the font and uses fallback fonts, causing layout shifts and degraded visual design.

The Wrong Way

<!-- Loading font from a CDN without CORS support -->
<style>
@font-face {
    font-family: 'CustomFont';
    src: url('https://cdn.example.com/fonts/custom.woff2') format('woff2');
}
</style>

Output in browser console:

Access to font at 'https://cdn.example.com/fonts/custom.woff2'
from origin 'https://myapp.com' has been blocked by CORS policy:
No 'Access-Control-Allow-Origin' header is present on the requested resource.

The Right Way

Use a font CDN that sends CORS headers, or serve fonts from your own domain:

<!-- Google Fonts (sends correct CORS headers) -->
<link href="https://fonts.googleapis.com/css2?family=Roboto:wght@400;700&display=swap" rel="stylesheet">

<style>
@font-face {
    font-family: 'CustomFont';
    src: url('/fonts/custom.woff2') format('woff2'); /* Same-origin */
    font-display: swap;
}
</style>
# Nginx - Add CORS headers for font files
location ~* \.(woff|woff2|eot|ttf|otf|svg)$ {
    add_header Access-Control-Allow-Origin "*";
    add_header Access-Control-Allow-Methods "GET, OPTIONS";
    add_header Access-Control-Allow-Headers "Origin";
    expires 1y;
    add_header Cache-Control "public, immutable";
}

Step-by-Step Fix

1. Check font CORS headers

curl -I -H "Origin: https://myapp.com" https://cdn.example.com/font.woff2
# Look for: access-control-allow-origin: *

2. Add CORS headers on the font server

# Flask - Add CORS for fonts
from flask import Flask, send_file

app = Flask(__name__)

@app.after_request
def add_cors(response):
    if response.mimetype in ["font/woff2", "font/woff", "application/x-font-ttf"]:
        response.headers["Access-Control-Allow-Origin"] = "*"
        response.headers["Access-Control-Allow-Methods"] = "GET, OPTIONS"
    return response

3. Serve fonts from your own domain

# Copy fonts from CDN to your static folder
# Then reference locally
STATIC_FONTS = "/static/fonts/custom.woff2"
<link rel="preload"
      href="https://cdn.example.com/font.woff2"
      as="font"
      type="font/woff2"
      crossorigin="anonymous">

5. Validate font MIME types

# Nginx must serve fonts with correct MIME types
types {
    font/woff2 woff2;
    font/woff woff;
    application/vnd.ms-fontobject eot;
    application/x-font-ttf ttf;
    image/svg+xml svg;
}

6. Use font-display to handle loading failures

@font-face {
    font-family: 'CustomFont';
    src: url('https://cdn.example.com/font.woff2') format('woff2');
    font-display: swap; /* Show fallback immediately, swap when font loads */
}

Prevention Tips

  • Serve fonts from the same origin whenever possible.
  • Add Access-Control-Allow-Origin: * on font file responses.
  • Verify font MIME types are correctly configured.
  • Use font-display: swap to prevent invisible text during font loading.
  • Use crossorigin="anonymous" on preload links for cross-origin fonts.

Common Mistakes with font blocked

  1. Misunderstanding that String is [Char] with poor performance for large text operations
  2. Using foldl instead of foldl' causing stack overflow on large lists
  3. Forgetting deriving (Show, Eq) on custom data types needed for debugging

These mistakes appear frequently in real-world BROWSER code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### Why are fonts subject to CORS when images are not?

CSS @font-face loads are subject to CORS because fonts can be used to fingerprint users (unique font files). Browsers require explicit CORS headers to prevent cross-origin font loading without the server's consent.

How do I fix CORS for Google Fonts?

Google Fonts already sends correct CORS headers. If they are blocked, check your site's Content-Security-Policy: style-src https://fonts.googleapis.com; font-src https://fonts.gstatic.com.

What does font-display: swap do?

It tells the browser to render text immediately with a fallback font, then swap to the custom font when it loads. This prevents invisible text (FOIT) but may cause a layout shift (FOUT).

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro