Opened 3 years ago

#5477 new enhancement

Add CORS headers for responses from

Reported by: westonruter's profile westonruter Owned by:
Milestone: Priority: normal
Component: General Keywords:


I'm working on the PWA plugin to enable offline browsing for previously-visited pages. In order to ensure that pages are available offline, I'm adding a network-first caching strategy for:

  • navigation requests
  • theme assets
  • plugin assets
  • uploaded images
  • core assets

I've come up against an issue specifically with the core assets, specifically as it relates to core pulling in images from namely Twemoji.

The issue is that responses from do not include CORS headers.

$ curl -I
HTTP/2 200
server: nginx
date: Fri, 16 Oct 2020 19:56:50 GMT
content-type: image/svg+xml
content-length: 1020
vary: Accept-Encoding
last-modified: Mon, 15 Jun 2020 17:45:48 GMT
x-frame-options: SAMEORIGIN
expires: Thu, 31 Dec 2037 23:55:55 GMT
cache-control: max-age=315360000
x-nc: HIT sea 2
x-content-type-options: nosniff
accept-ranges: bytes

By lacking Access-Control-Allow-Origin: *, programmatic fetches to grab images from the CDN such as by a service worker or via a fetch() in the block editor will not be able to read from the response body. They will be "opaque" responses. When opaque responses are stored using the Cache API, they get assigned random sizes to guard against information leakage. See

Please add Access-Control-Allow-Origin: * to responses from

Change History (0)

Note: See TracTickets for help on using tickets.