CORS and CSP

If you intend to call Scryfall API methods in client-side JavaScript, or embed Scryfall assets on your site, you should be aware that you may need to respect Cross Origin Resource Sharing (CORS) headers in modern browsers, and also grantlist our domains in your HTTP Content Security Policy (CSP) headers.

api.scryfall.com, as well as all of the Scryfall image origins set CORS headers for GET, HEAD, POST, OPTIONS requests.

Please note, that in order to receive CORS headers from our system, you must include the HTTP Origin header in your request and it must match the the domain and protocol of the current page. This is a strict requirement of CORS. Using HTTP Referer or URL parameters will not work.

Content Security Policy (CSP)

For CSP, you can grantlist *.scryfall.com to use our API and our assets. You do not need to grantlist the apex domain.

If you would like an exhaustive list instead, a spec is provided below to merge with your existing CSP header:

connect-src
  api.scryfall.com
  embed.scryfall.com;
img-src
  *.scryfall.io
style-src
  embed.scryfall.com;
script-src
  embed.scryfall.com;
font-src
  embed.scryfall.com;

Core Docs

Types & Methods

Changelog

CORS and CSP

Content Security Policy (CSP)