It needs to be the doamin(s) from where you are requesting the resources.
Let's say you use the font for domain http://example.com
then add Access-Control-Allow-Origin: http://example.com
. You can space-separate multiple origins.
In some browsers multiple domains cause issues. In that case you can programmatically read the Origin
header of the response, check it against some whitelist and respond with the same value in Access-Control-Allow-Origin
header. IMO, the latter would be the best practice.
Additional Note
The value of the Access-Control-Allow-Origin
header need to consist of scheme (e.g. http), domain (e.g. example.com) and port (only if it is not a default port).