The option is aimed to protect content from using at third-party sites or in third-party applications by adding the Access-Control-Allow-Origin header. A browser looks up the header to check if the content is allowed to be displayed on a site or in an application from which the request has been received.
CDN Resource
Go to Advanced Settings -> the Security section -> the HTTP-header Access-Control-Allow-Origin option.
There are three options:
1. *, for all domains: the content can be accessed from any domain.
2. "$http_origin" if an origin is listed below: you can enter up to 20 domains. When a request is received, the CDN matches the Origin header value and the domains that are specified for the HTTP-Access-Control-Allow-Origin option. If the Origin header value matches one of the specified domains, the CDN adds the Access-Control-Allow-Origin header to the response with the requested domain. If the Origin header value does not match specified domains, the Access-Control-Allow-Origin header is not added. If the header with correct value is present in the response, a browser serves the content.
3. "$http_origin", for all domains: the content can be accessed from any domain. When a request is received, the CDN adds the Access-Control-Allow-Origin header. The header value matches the domain the request was received from.
All the files delivered by CDN will contain Access-Control-Allow-Origin Header.
Rules
Configure Access-Control-Allow-Origin Header only for certain files via Rules.
Go to Advanced Settings -> the Security section -> the HTTP-header Access-Control-Allow-Origin option.
If the option is not added to the list, CDN uses the CDN Resource settings for the HTTP-header Access-Control-Allow-Origin option.
If you add an option to the list but do not enable it, the Access-Control-Allow-Origin header will not be added.