Browser Font Blocked by CORS Fix
In this tutorial, you'll learn about Browser Font Blocked by CORS Fix. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Web fonts loaded from a different origin (CDN, font service, or subdomain) require CORS headers. Without them, the browser blocks the font and uses fallback fonts, causing layout shifts and degraded visual design.
The Wrong Way
<!-- Loading font from a CDN without CORS support -->
<style>
@font-face {
font-family: 'CustomFont';
src: url('https://cdn.example.com/fonts/custom.woff2') format('woff2');
}
</style>
Output in browser console:
Access to font at 'https://cdn.example.com/fonts/custom.woff2'
from origin 'https://myapp.com' has been blocked by CORS policy:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
The Right Way
Use a font CDN that sends CORS headers, or serve fonts from your own domain:
<!-- Google Fonts (sends correct CORS headers) -->
<link href="https://fonts.googleapis.com/css2?family=Roboto:wght@400;700&display=swap" rel="stylesheet">
<style>
@font-face {
font-family: 'CustomFont';
src: url('/fonts/custom.woff2') format('woff2'); /* Same-origin */
font-display: swap;
}
</style>
# Nginx - Add CORS headers for font files
location ~* \.(woff|woff2|eot|ttf|otf|svg)$ {
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET, OPTIONS";
add_header Access-Control-Allow-Headers "Origin";
expires 1y;
add_header Cache-Control "public, immutable";
}
Step-by-Step Fix
1. Check font CORS headers
curl -I -H "Origin: https://myapp.com" https://cdn.example.com/font.woff2
# Look for: access-control-allow-origin: *
2. Add CORS headers on the font server
# Flask - Add CORS for fonts
from flask import Flask, send_file
app = Flask(__name__)
@app.after_request
def add_cors(response):
if response.mimetype in ["font/woff2", "font/woff", "application/x-font-ttf"]:
response.headers["Access-Control-Allow-Origin"] = "*"
response.headers["Access-Control-Allow-Methods"] = "GET, OPTIONS"
return response
3. Serve fonts from your own domain
# Copy fonts from CDN to your static folder
# Then reference locally
STATIC_FONTS = "/static/fonts/custom.woff2"
4. Use crossorigin attribute in link tags
<link rel="preload"
href="https://cdn.example.com/font.woff2"
as="font"
type="font/woff2"
crossorigin="anonymous">
5. Validate font MIME types
# Nginx must serve fonts with correct MIME types
types {
font/woff2 woff2;
font/woff woff;
application/vnd.ms-fontobject eot;
application/x-font-ttf ttf;
image/svg+xml svg;
}
6. Use font-display to handle loading failures
@font-face {
font-family: 'CustomFont';
src: url('https://cdn.example.com/font.woff2') format('woff2');
font-display: swap; /* Show fallback immediately, swap when font loads */
}
Prevention Tips
- Serve fonts from the same origin whenever possible.
- Add
Access-Control-Allow-Origin: *on font file responses. - Verify font MIME types are correctly configured.
- Use
font-display: swapto prevent invisible text during font loading. - Use
crossorigin="anonymous"on preload links for cross-origin fonts.
Common Mistakes with font blocked
- Misunderstanding that
Stringis[Char]with poor performance for large text operations - Using
foldlinstead offoldl'causing stack overflow on large lists - Forgetting
deriving (Show, Eq)on custom data types needed for debugging
These mistakes appear frequently in real-world BROWSER code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.
Practice Exercise
Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.
This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro