CORS and CSP
Cross Origin Resource Sharing (CORS)
api.scryfall.com, as well as all of the Scryfall image origins set
CORS headers for
Please note, that in order to receive CORS headers from our system,
you must include the HTTP
Origin header in your request and it must
match the the domain and protocol of the current page.
This is a strict requirement of CORS.
Referer or URL parameters will not work.
Content Security Policy (CSP)
For CSP, you can grantlist
*.scryfall.com to use our API
and our assets. You do not need to grantlist the apex domain.
If you would like an exhaustive list instead, a spec is provided below to merge with your existing CSP header:
connect-src api.scryfall.com embed.scryfall.com; img-src c1.scryfall.com c2.scryfall.com c3.scryfall.com; style-src embed.scryfall.com; script-src embed.scryfall.com; font-src embed.scryfall.com;