Cross-Origin Resource Sharing
Browsers block cross-origin use of certain resources by default—web fonts referenced from another domain, fetch() requests, WebGL textures, some SVG uses. If a project on Surge hosts assets that your other sites need to load, enable CORS for it with a CORS file (no extension) in the root of the directory you publish.
This is the setup for using a Surge project as an asset host: fonts shared across your properties, an icon set, a data file your apps fetch.
Allow any origin
Put a single * in the file:
echo '*' > CORS
surge
Every response now carries Access-Control-Allow-Origin permitting any site to use the assets. Right choice for public assets—fonts, icons, open data.
Allow specific origins only
List the origins, one per line, instead:
https://example.com
https://blog.example.com
Only those origins are permitted; requests from anywhere else still get the browser's default blocking.
Notes
- The
CORSfile itself is never served. - CORS is a paid-plan feature—the CLI prompts you to upgrade on first publish with the file present. See Plans.
- The policy applies project-wide. If only some assets should be shared, put them in their own project (a dedicated
assets.example.com, say) and give that project theCORSfile.