Custom Fonts

To allow the LiSA Player to fetch and use the font files served from your host, you’ll need to have the font‐serving host send the proper CORS header so that the browser actually permits the cross‐origin fetch.

Enable CORS on the font host

Even with CSP allowing the LiSA Player domain, the browser will still refuse the request unless the font server responds with:

Access-Control-Allow-Origin: https://player.hello-lisa.com

(or a wildcard * if you’re OK with any origin).

So on the font-serving host's web server configuration (Apache, nginx, CDN, etc.), make sure requests for fonts (e.g. `*.woff or *.woff2) return the header.

nginx

Define a map at http-scope to turn the incoming $http_origin into itself if it’s allowed, or into an empty string otherwise:

map $http_origin $cors_allow_origin {
    default                          "";
    "https://player.hello-lisa.com"  $http_origin;
    "https://{clientId}.loveslisa.tech"  $http_origin;
}

In your font‐serving location block, add the header only when $cors_allow_origin is non-empty:

This way, requests whose Origin is in your map get the header; all others get none.

Apache (httpd) (using SetEnvIf and mod_headers)

Define which origins you allow:

Then use mod_headers to echo it back:

Only requests whose Origin matches your regex will get the header.

Express.js (Node.js)

If you’re using an Express app, you can make a small middleware:

Key points

• Do not use * if you need to support credentialed requests (cookies, HTTP auth).

• Always echo the incoming origin rather than hard-coding more than one in the header.

• Remember to also allow the OPTIONS preflight with the same logic (or via a global handler).

• Clear caches or restart your server after changes so the new headers take effect.

With one of these techniques in place, you can safely serve your fonts to as many specific domains as you like.