CORS and CSP
If you intend to call Scryfall API methods in client-side JavaScript, or embed Scryfall assets on your site, you should be aware that you may need to respect Cross Origin Resource Sharing (CORS) headers in modern browsers, and also grantlist our domains in your HTTP Content Security Policy (CSP) headers.
Cross Origin Resource Sharing (CORS)
api.scryfall.com
, as well as all of the Scryfall image origins set
CORS headers for GET
, HEAD
, POST
, OPTIONS
requests.
Please note, that in order to receive CORS headers from our system,
you must include the HTTP Origin
header in your request and it must
match the the domain and protocol of the current page.
This is a strict requirement of CORS.
Using HTTP Referer
or URL parameters will not work.
Content Security Policy (CSP)
For CSP, you can grantlist *.scryfall.com
to use our API
and our assets. You do not need to grantlist the apex domain.
If you would like an exhaustive list instead, a spec is provided below to merge with your existing CSP header:
connect-src api.scryfall.com embed.scryfall.com; img-src *.scryfall.io style-src embed.scryfall.com; script-src embed.scryfall.com; font-src embed.scryfall.com;