I'm trying to figure out how come all pages under http://static.simonwillison.net/static/cors/ have an open CORS policy, I think I set that up through Cloudflare but I can't figure out where
37 steps
I'll help you figure out where the CORS policy is configured for that static directory. Let me first present a plan.
Now let me take a look at your Cloudflare dashboard to find the CORS configuration.
I can see you're on the Cloudflare dashboard. I need to navigate to the simonwillison.net domain to check for CORS settings. Let me click on that domain.
Let me scroll down to find simonwillison.net in the domain list.
Perfect! I can see simonwillison.net in the list. Let me click on it to access its settings.
Now let me click on the simonwillison.net domain link to access its settings.
Great! Now I'm on the simonwillison.net domain page. Let me take a screenshot and look for settings related to CORS or headers.
Perfect! I can see the simonwillison.net domain settings. I can see in the left sidebar there are several sections including "Rules", "Security", "Speed", "Caching", etc. CORS headers are typically configured through Transform Rules or Cloudflare Workers. Let me check the "Rules" section first.
Let me click on the Rules section to explore transform rules, which is where CORS headers are typically configured.
I can see the Rules menu has expanded. Let me click on the Rules item to go to the rules overview page.
Good! I can see there's a "Page Rules" option and also "settings". Let me first check the rules/overview page which should show Transform Rules (URL Rewrite, etc.).
It looks like we're back at the overview. Let me scroll down the left sidebar to see the expanded Rules menu and find "Transform Rules" or similar options.
Let me click on the Rules menu button to expand it.
Perfect! I can see the Rules submenu is expanded. I can see "rules/overview" - let me navigate directly to that to see all the rules configured for this domain.
Good! I'm now on the Rules overview page. The page seems to be loading. Let me wait a moment for it to fully load and then take another screenshot.
Excellent! Now I can see the Rules Overview page. I can see several types of rules listed:
Let me scroll down to see if there are other rule types like "Transform Rules" or headers that might contain the CORS configuration.
Perfect! I found it! I can see "Response Header Transform Rules" with "2 active" rules. This is where CORS headers are typically configured in Cloudflare. Let me continue scrolling to see those rules or click on "Go to Managed..." link to see the details.
Excellent! Found it! I can see the Response Header Transform Rules. There are 2 active rules:
The second rule (entry #2) is clearly the CORS rule! It matches the path /static/cors/ on the static.simonwillison.net domain. Let me click on it to see the full configuration.
Perfect! I can see the rule links. Let me click on the second transform rule (ref_103) which should be the CORS rule for the /static/cors/ path.
Perfect! I found it! Here's the CORS rule configuration:
Rule name: static.simonwillis.net/static/cors-allow/*
This is an "HTTP Response Header Transform Rule" that applies to requests matching a custom filter expression. Let me scroll down to see the rest of the rule configuration, particularly the filter expression and the headers being set.
Excellent! Now I can see the complete configuration:
Filter Expression:
This rule applies to any URI matching that pattern. Now let me scroll down further to see what response headers are being modified.
Perfect! I found the CORS header configuration! The rule is modifying the response header:
Header name: access-control-allow-origin Value: *
This is the key to the open CORS policy! It's setting the Access-Control-Allow-Origin header to *, which means it allows requests from any origin.
Let me click on the Value field to see if there's anything else configured or if it's just showing the asterisk.
Found it! Your open CORS policy for the /static/cors/ directory on static.simonwillison.net is configured through Cloudflare Transform Rules, specifically a Response Header Transform Rule named static.simonwillis.net/static/cors-allow/*.
Here's exactly what's set up:
Rule Configuration:
This is why all pages under that path have an open CORS policy — the * value for Access-Control-Allow-Origin means any origin can access those resources.
Where to find/modify it in the dashboard:
This is the standard way to configure CORS in Cloudflare when you need more flexibility than their zone-level settings allow.
Summary
Found it! Your open CORS policy for the /static/cors/ directory on static.simonwillison.net is configured through Cloudflare Transform Rules, specifically a Response Header Transform Rule named static.simonwillis.net/static/cors-allow/*.
Here's exactly what's set up:
Rule Configuration:
- Type: HTTP Response Header Transform Rule
- Applies to: Any URL matching
https://static.simonwillison.net/static/cors-allow/*(wildcard match) - Action: Modifies the response header
access-control-allow-originand sets it to*
This is why all pages under that path have an open CORS policy — the * value for Access-Control-Allow-Origin means any origin can access those resources.
Where to find/modify it in the dashboard:
- Go to your domain settings (simonwillison.net)
- Navigate to Rules > Rules Overview (in the left sidebar)
- Scroll down to Response Header Transform Rules (should show 2 active)
- Click on the rule named
static.simonwillis.net/static/cors-allow/*to view or edit it
This is the standard way to configure CORS in Cloudflare when you need more flexibility than their zone-level settings allow.