diff --git a/h5bp/directive-only/cross-domain-ajax.conf b/h5bp/directive-only/cross-domain-ajax.conf
deleted file mode 100644
index 0c98db9..0000000
--- a/h5bp/directive-only/cross-domain-ajax.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-# Cross domain AJAX requests
-add_header "Access-Control-Allow-Origin" "*";
diff --git a/h5bp/directive-only/cross-domain-insecure.conf b/h5bp/directive-only/cross-domain-insecure.conf
new file mode 100644
index 0000000..af77eca
--- /dev/null
+++ b/h5bp/directive-only/cross-domain-insecure.conf
@@ -0,0 +1,15 @@
+# Cross domain AJAX requests
+
+# **Security Warning**
+# Do not use this without understanding the concequences.
+# This will permit access from any other website.
+#
+add_header "Access-Control-Allow-Origin" "*";
+
+# Instead of using this file, consider using a specific rule such as:
+#
+# Allow access based on [sub]domain:
+#    add_header "Access-Control-Allow-Origin" "subdomain.example.com";
+# OR
+#    add_header "Access-Control-Allow-Origin" "*.example.com";
+
diff --git a/h5bp/location/cross-domain-fonts.conf b/h5bp/location/cross-domain-fonts.conf
index 2624796..93d7384 100644
--- a/h5bp/location/cross-domain-fonts.conf
+++ b/h5bp/location/cross-domain-fonts.conf
@@ -1,6 +1,6 @@
 # Cross domain webfont access
 location ~* \.(?:ttf|ttc|otf|eot|woff)$ {
-    add_header "Access-Control-Allow-Origin" "*";
+    include h5bp/directive-only/cross-domain-insecure.conf;
 
     # Also, set cache rules for webfonts.
     #