To enable the CORS (Cross-Origin Resource Sharing) on a tipical Amazon infrastructure it is necessary to configure both S3 and CloudFront. The behaviour of the various browser is not the same but on chrome the Header Access-Control-Allow-Origin is expected in the answer.
On S3 you have to add CORS properties in the properties tab. You will insert something like;
<?xml version="1.0" encoding="UTF-8"?> <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <CORSRule> <AllowedOrigin>*</AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <MaxAgeSeconds>3000</MaxAgeSeconds> <AllowedHeader>Athorization</AllowedHeader> </CORSRule> </CORSConfiguration>
On CloudFront you have to change the behaviour of the origin to enable the forward of the request header. It is suggested to chose the whitelist mode and select the Origin header to have a better caching. This step is required to let the Origin header reach S3: without it S3 replies ignoring the CORS headers.
To test the result a curl can be used but the Origin header has to be inserted in the request using an existing (authorized) domain.
curl -H "Origin: http://www.example.com" --verbose http://***/fonts/arial.ttf