Requesting files from a different host could cause problems because of Cross-Origin Resource Sharing (CORS) polices:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://cdn.example.com/fonts/fontawesome-webfont.woff. This can be fixed by moving the resource to the same domain or enabling CORS.

Cross-domain requests would otherwise be forbidden by a lot of web browsers, because of the same-origin security policy.

Because there are some browsers which ignore the same-origin security policy, you should enable CORS on nginx if you host content on a different domain or subdomain. Otherwise the client can’t load the requested files.

In my case Safari ignores the same-origin security policy if the file is on the same domain, but on a different subdomain – Firefox takes care of the policy and blocks the request – and the client isn’t able to load the file. This could change from version to version. So it’s recommend to enable cross-origin requests!

To enable CORS you have to modify the nginx config file with your server block configuration which serves the external files.

Just place a add_header option inside location to your server block:

location / { add_header 'Access-Control-Allow-Origin' *; }

In my example I use a wildcard to allow every requests. We could restrict the access instead of using a wildcard by changing it to http://www.example.com.

To enable CORS only for *.example.com you should use this:

location / { if ($http_origin ~* (https?://[^/]*\.example\.com(:[0-9]+)?)) { add_header 'Access-Control-Allow-Origin' "$http_origin"; } }

Multiple domains with enabled cross-origin requests are also able:

location / { if ($http_origin ~* (https?://[^/]*\.example\.com(:[0-9]+)?|https?://[^/]*\.otherdomain\.com(:[0-9]+)?)) { add_header 'Access-Control-Allow-Origin' "$http_origin"; } }

Finally reload nginx (Debian: /etc/init.d/nginx reload ) and test it. Have a look on the header response – Firebug helps – (Maybe you have to clear your browser cache!):

Or something like this:

HTTP/1.1 200 OK ... Access-Control-Allow-Origin: * ...