Cross-Origin Resource Sharing

Browsers block cross-origin use of certain resources by default—web fonts referenced from another domain, fetch() requests, WebGL textures, some SVG uses. If a project on Surge hosts assets that your other sites need to load, enable CORS for it with a CORS file (no extension) in the root of the directory you publish.

This is the setup for using a Surge project as an asset host: fonts shared across your properties, an icon set, a data file your apps fetch.

Allow any origin

Put a single * in the file:

echo '*' > CORS
surge

Every response now carries Access-Control-Allow-Origin permitting any site to use the assets. Right choice for public assets—fonts, icons, open data.

Allow specific origins only

List the origins, one per line, instead:

https://example.com
https://blog.example.com

Only those origins are permitted; requests from anywhere else still get the browser's default blocking.

Notes

  • The CORS file itself is never served.
  • CORS is a paid-plan feature—the CLI prompts you to upgrade on first publish with the file present. See Plans.
  • The policy applies project-wide. If only some assets should be shared, put them in their own project (a dedicated assets.example.com, say) and give that project the CORS file.