How to add an Access-Control-Allow-Origin header in IIS7 with restrictions
I need to access a font file in my application from the server that I also own. It works for all browsers but Firefox, and I know that I need to add a 'Access-Control-Allow-Origin' header.
So in the root of my server there is another application with web.config to which I added:
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
It works fine however, I am not sure what are the security issues here. Is specifying the domain that can access it a good security resolution here? I think I'd rather have this setting only for files in font folder and not the whole application. I saw a .htaccess solution for it which requires placing the file in desired folder, but how can I do it with web.config or IIS setting?
Apache:
<FilesMatch "\.(ttf|otf|eot|woff)$">
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "http://yourdomain.com"
</IfModule>
</FilesMatch>
Thanks a lot,
Answer
Have you tried to put a web.config in the desired subfolder only? Have a look at "ASP.NET Configuration File Hierarchy and Inheritance".