Open Bug 1056320 Opened 10 years ago Updated 2 years ago

Loading font files from fontface fails when used over https protocol that requests client certificates


(Core :: Layout: Text and Fonts, defect)

31 Branch





(Reporter: gregory.ziskind, Unassigned)


User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release)
Build ID: 20140730101922

Steps to reproduce:

Created a font server hosted with nginx over HTTPS that requires a client certificate be passed with all requests. Also hosted a css file that includes @fontface declarations on that nginx server. Created a site hosted on a separate machine that will use the remotely hosted CSS file. CORS is also enabled on the nginx server.

Actual results:

When the page loads, it loads the CSS no problem, but when the fonts are loaded, there is a 400 bad request error. 

When the ngnx server is changed to not require client certificates, the fonts load correctly. It seems as if the request to download the font is not providing the client certificate that was provided with all other requests

Expected results:

The fonts should have loaded from the remote server without error.
Could you post a testcase showing the issue when downloading fonts via HTTPS? (maybe a public page of your website)
Component: Untriaged → Layout: Text
Flags: needinfo?(gregory.ziskind)
Product: Firefox → Core
Do loads work from that server for other types of requests?  For example, documents, style sheets, scripts, XMLHttpRequest?

(I'm wondering if this is related to the null callbacks parameter passed to NS_NewChannel in nsFontFaceLoader.cpp, though we pass null callbacks in quite a few other places as well.)
Unfortunately the website cannot be made public as it is on a private network. 

The loads of stylesheets and scripts work fine, but XMLHttpRequests do not work unless the requirement for client certificates is disabled.

On failure Firebug will give an error of "NetworkError: 400 Bad Request" with an error message of:

"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at <url>. This can be fixed by moving the resource to the same domain or enabling CORS."

However I believe this error message is misleading and the reason I am getting it is because the request is being denied at the server and when the browser receives a 400 error, it does not get the CORS headers necessary to stop this message from displaying.
Flags: needinfo?(gregory.ziskind)
Flags: needinfo?(gijskruitbosch+bugs)
Flags: needinfo?(gijskruitbosch+bugs)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.