Often times I’ll find myself wanting to verify CORS headers on a specific static resource, for example, a webfont.

Consider the following command:

1
$ curl -I -s -X GET -H "Origin: pixelsonly.com" https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.4.0/fonts/FontAwesome.otf

In the above example I’m asking cURL to return the document head of the specified resource via a GET request. Here’s the output:

1
2
3
4
5
6
7
8
9
10
11
12
13
HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Thu, 22 Oct 2015 21:15:04 GMT
Content-Type: application/font-sfnt
Content-Length: 106260
Connection: keep-alive
Last-Modified: Wed, 29 Jul 2015 11:33:54 GMT
Expires: Tue, 11 Oct 2016 21:15:04 GMT
Cache-Control: public, max-age=30672000
Access-Control-Allow-Origin: *
CF-Cache-Status: HIT
Accept-Ranges: bytes
CF-RAY: 2398372a295028ca-SJC

This is especially helpful when working with webfonts served from content delivery networks. To make things even easier and a little more DRY you can add the following function to your ZSH or Bash profile.

1
2
3
corscheck() {
  curl -I -s -X GET -H "Origin: $1" $2
}

The first argument will be the domain that will be making the request and the second is the URL of the resource in question. See the usage example below:

1
$ corscheck pixelsonly.com https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.4.0/fonts/FontAwesome.otf