CORS headers

The Cross-Origin Resource Sharing (CORS) HTTP response header allows a server to indicate origins (e.g. domain, scheme, or port) other than its own from which a browser can load static asset resources.

A default CORS policy is returned by VIP’s edge servers for all files that are stored in the VIP File System (files within the path /wp-content/uploads):

access-control-allow-methods: GET, HEAD
access-control-allow-origin: *

The same CORS policy is also returned for requests to a limited set of static asset file types that are served from origin (deployed from an application’s wpcomvip GitHub repository) including:

.avif
.css
.eot
.gif
.ico
.ieot
.js
.jpeg

.mp3
.mp4
.manifest
.mov
opensearch.xml
.otf
.pdf
.png

.png
.svg
.swf
.ttf
.webm
.webp
.woff2

Last updated: November 19, 2025

Relevant to