corscdnazure-cdn

CORS errors when using an Azure CDN with multiple origins


We have set up custom rules on the Azure CDN Standard endpoint to modify (overwrite) the response header based on the Origin of the request. In the rules defined, we are setting the Access-Control-Allow-Origin header value to the same value as that of the Origin of the request for all of the domains of the below-mentioned sites. CDN custom rules for CORS

We have multiple sites getting data served from the CDN URLs:

We are seeing some CORS errors when accessing the sites and switching between the environments. These all seem to be related to .woff extension font files. This is an example error:

Access to font at 'https://cdn.example.com/example.woff' from origin 'https://sitename.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://sitename-preview.com' that is not equal to the supplied origin.

It is as if the rules set up for the CDN endpoint do not get acknowledged if you have already accessed a site from a different URL where you already requested assets from the CDN.

Microsoft has acknowledged that there is a problem in the multiple origin scenario here: https://learn.microsoft.com/en-us/azure/cdn/cdn-cors, but the proposed solution only caters to a single origin. If we add multiple origins to separate rules, then we still end up with the problem that occurs when the browser caches the Access-Control-Allow-Origin header for the first CORS origin.

Is there any workaround for this, other than to change the Access-Control-Allow-Origin header to * and put the CDN behind a WAF? I've read that the CORS spec is all or nothing here: Access-Control-Allow-Origin wildcard subdomains, ports and protocols, where the most upvoted answer states that it only supports *, null or the exact protocol + domain + port.


Solution

  • We worked around this issue by setting the Cache-Control property in the response header for .woff extension files to 'no-cache' within the Azure CDN endpoint caching rules.

    No Cache for Woff