# CORS Header

Cross-origin resource sharing (CORS) is a browser security mechanism that determines whether a web page can load resources from a different origin. While browsers allow cross-origin images, CSS files, scripts, iframes, and videos without restrictions, other request types — such as Ajax calls and web fonts — are blocked by default under the same-origin policy.

CORS defines how browsers and servers evaluate cross-origin requests. Medianova CDN can send the `access-control-allow-origin` header in HTML responses to enable controlled cross-origin access.

By default, Medianova CDN forwards any CORS-related headers sent by your origin. You only need to enable CORS Header if you want CDN edges to set or override this header.

{% hint style="info" %}
If your origin already sends a correct CORS header with HTML responses and you do not see CORS errors, you can keep CORS Header disabled.

By default, Medianova CDN forwards the CORS header in HTML responses from your origin to browsers.
{% endhint %}

You can configure CORS Header in the [Medianova Control Panel ](https://cloud.medianova.com)or via the [API](https://clients.medianova.com/api-documentation/performance-cdn/headers#put-api-v1-cdn-organization_uuid-resource-resource_uuid).

## Enable CORS Header

{% stepper %}
{% step %}
**Access CORS Header**

Go to **CDN → CDN Resources** and select a CDN Resource.\
Open the **Headers** tab.
{% endstep %}

{% step %}
**Enable CORS Header**

By default, CORS Header is disabled.\
Toggle **Status** to enable the feature.

Confirm that configuration fields are now active
{% endstep %}
{% endstepper %}

### Configure CORS Header

After enabling the feature, Medianova CDN edge servers add the `access-control-allow-origin` header to HTML responses based on your configuration.

#### Allow all origins (Wildcard)

If no domains are defined in the allow list, CDN edges return the following header:

```
access-control-allow-origin: *
```

The wildcard `*` allows any origin to load cross-origin resources from the CDN.

#### Allow specific domains

Add domains to restrict cross-origin access to only approved origins.

For example, if `https://www.shop.com` loads web fonts from `https://fonts.shop.com` and you want to prevent external sites from using these fonts, add `fonts.shop.com` to the allow list.

When a domain is added, CDN edges respond with:

```
access-control-allow-origin: https://fonts.shop.com
```

{% stepper %}
{% step %}
Enter a domain into the **Allowed Domains** field.\
Examples: `fonts.shop.com`, `https://fonts.shop.com`
{% endstep %}

{% step %}
Select **Add** to include the domain in the allow list.
{% endstep %}
{% endstepper %}

### Troubleshooting

* CORS Header applies only to **HTML responses**.
* If your origin also sets `access-control-allow-origin`, CDN behavior depends on your Header Override configuration.
* Browser console messages provide the most accurate diagnostics for CORS failures.
* If you use credentials or custom headers in your requests, additional CORS headers may be required at the origin level.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://clients.medianova.com/products/performance-cdn/static-content-delivery/advanced-configuration/headers/cors-header.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.