Not read the header Access-Control-Allow-Origin * (CSRF)?

Can't seem to get Access-Control-Allow-Origin *
The server itself gives, but no browser sees this header.
Why are unable to ship to the server fonts.

server {
 listen 80;
 add_header 'Access-Control-Allow-Origin' '*';

user www-data;
worker_processes auto;
pid /run/;
include /etc/nginx/modules-enabled/*.conf;

events {
 worker_connections 65536;
 use epoll;
 multi_accept on;

http {

 keepalive_timeout 65;
 keepalive_requests 100000;
 sendfile on;
 tcp_nopush on;
 tcp_nodelay on;

 client_body_buffer_size 128k;
 client_max_body_size 10m;
 client_header_buffer_size 1k;
 large_client_header_buffers 4 4k;
 output_buffers 1 32k;
 postpone_output 1460;

 client_header_timeout 3m;
 client_body_timeout 3m;
 timeout 3m;

 open_file_cache max=1000 inactive=20s;
 open_file_cache_valid 30s;
 open_file_cache_min_uses 5;
 open_file_cache_errors off;

 include /etc/nginx/cloudflare;
 include /etc/nginx/mime.types;
 default_type application/octet-stream;

 gzip on;
 gzip_min_length 1000;
 gzip_buffers 4 4k;
 gzip_types application/x-javascript text/css application/javascript text/javascript text/plain text/xml application/json application/ application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/;
 "gzip_disable" "MSIE [1-6]\.";

 error_log /var/log/nginx.error_log warn;

 "log_format" main '$remote_addr - $remote_user [$time_local] '
 '"$request" $status $bytes_sent '
 '"$http_referer" "$http_user_agent" '

 "log_format" download '$remote_addr - $remote_user [$time_local] '
 '"$request" $status $bytes_sent '
 '"$http_referer" "$http_user_agent" '
 '"$http_range" "$sent_http_content_range"';

 map $status $loggable {
 ~^[23] 0;
 default 1;

 include /etc/nginx/conf.d/*.conf;
 include /etc/nginx/sites-enabled/*;

July 8th 19 at 15:52
2 answers
July 8th 19 at 15:54
Browsers have permission to view. Add a title
Access-Control-Allow-Credentials: true
July 8th 19 at 15:56
Yes here nifiga. It turned out that because of the domain. Was .xyz did the same thing on .com and it worked.

Find more questions by tags HTTP headersNginxCSRF