GH Pages CORS: Specify Allowed Origins

Since 2015, GitHub Pages supports Cross-Origin Resource Sharing (CORS) and every GitHub Pages page has Access-Control-Allow-Origin: * in their response headers by default.

Is there a way to specify which origins should be allowed rather than the wildcard ‘*’? Maybe via a variable in the CI/CD?

We are serving some files with GitHub Pages and trying to load them in another GitHub Pages page in a different repo but we’re having credentials set to include which doesn’t work with the wildcard * for “access-control-allow-origin”.


This is unfortunately something that we don’t support today and don’t have a good solution for.

While I cannot give you a timeline, I can tell you that “custom headers” is something we are thinking about and want to implement.