Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Allowing WOFF fonts to be accessed from other domains (CORS)

Rehno Lindeque edited this page · 3 revisions
Clone this wiki locally


There's now some middleware available on hackage to help with CORS:

WOFF fonts may not be accessed from other domains by default. That means that your page at may not access a font The solution is to add a CORS header to the WOFF font allowing it to be used from other domains.

A simple way of doing so is by rewriting all responses whose Content-type is application/font-woff in order to include the CORS header. You may do so using the following simple WAI middleware:

-- | Add a permissive CORS header to WOFF files.
-- Written for wai-1.4.0 and http-types-0.8.0 but may work on
-- many previous or next versions.
addCORStoWOFF :: W.Middleware
addCORStoWOFF app = fmap updateHeaders . app
    updateHeaders (W.ResponseFile    status headers fp mpart) = W.ResponseFile    status (new headers) fp mpart
    updateHeaders (W.ResponseBuilder status headers builder)  = W.ResponseBuilder status (new headers) builder
    updateHeaders (W.ResponseSource  status headers src)      = W.ResponseSource  status (new headers) src
    new headers | woff      = cors : headers
                | otherwise =        headers
      where woff = lookup HT.hContentType headers == Just "application/font-woff"
            cors = ("Access-Control-Allow-Origin", "*")
Something went wrong with that request. Please try again.