There are plenty of posts from people having problems enabling CORS on their app - I think I’m running into the opposite:
We’re trying to share resources from our site to affiliated services (licensed fonts on a 3rd party UGC platform), and where I was expecting we would have to explicitly whitelist that domain in either our netlify.toml config or a _headers file, we are actually getting a full set of CORS headers in the response already. What gives? Is it specifically because it’s a font? Or are these headers being set elsewhere, in a place configurable by us?
My concern is that if this is the case, then surely the rest of our content is being served with no cross-origin restrictions, which isn’t good.
Our .toml has no header entries in it, and our _headers file has only the line