Enabling CORS on IIS for only Font files
You should add this code to your Web.config:
<location path="fonts/FontName.ttf">
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
</system.webServer>
</location>
You can install the IIS rewrite Module https://www.microsoft.com/en-us/download/details.aspx?id=7435 . After installing the module, restart your IIS Manager and click on your website under the “Sites” node. If you see the URL Rewrite Module symbol (shown below) in the window on the right under IIS section, then you are ready to go:
Then on your Web.config, you need to add the following rule:
<rewrite>
<rules>
<rule name="Add Cross Origin Access">
<match serverVariable="RESPONSE_Access_Control_Allow_Origin" pattern=".*" />
<conditions>
<add input="{REQUEST_URI}" pattern="^[^\?]+\.(ttf|otf|eot|woff|woff2|svg)(\?.*)?$" />
</conditions>
<action type="Rewrite" value="*"/>
</rule>
</rules>
</rewrite>
Hackerman's answer is great and it led me to a solution, however, there are a few adjustments that I had to make. The first was placing the rule in the outboundRules
section under the rewrite
node.
<outboundRules>
<rule name="Enable CORS for Fonts">
<match serverVariable="RESPONSE_Access_Control_Allow_Origin" pattern=".*" />
<conditions>
<add input="{REQUEST_URI}" pattern="^[^\?]+\.(ttf|otf|eot|woff|woff2|svg)(\?.*)?$" />
</conditions>
<action type="Rewrite" value="*" />
</rule>
</outboundRules>
Lastly, the regex was updated to prevent requests such as the one below, which would allow someone to request any URL across origins:
/some/critical/javascript/file.js?v=.woff
/api/secure/users?v=.woff
... but it still allows the following
/some/font.woff
/some/font.woff?etag
/some/font.woff?v=123