User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Steps to reproduce: Updated to Firefox 39.0.3 on OSX and tried to visit a website which is using Google Fonts. The security bugfix in 39.0.3 which was also related to CORS according to the release notes, might have caused this side-effect/bug. Actual results: The fonts were not displayed correctly, in the log I found: downloadable font: download failed (font-family: "Cinzel" style:normal weight:normal stretch:normal src index:1): bad URI or cross-site access not allowed source: http://fonts.gstatic.com/s/cinzel/v4/i2BwM1Eq2JyiNOY_VrkubOvvDin1pK8aKteLpeZ5c0A.woff2 It downloads fine in Safari and in Google Chrome. Expected results: Should have downloaded the font as the "Access-Control-Allow-Origin:*" response header is set, and used it.
Severity: normal → critical
Component: Untriaged → Security
OS: Unspecified → Mac OS X
Hardware: Unspecified → x86_64
Do you have an example URL that shows the error ?
Severity: critical → normal
Component: Security → Security
Product: Firefox → Core
Please have a look at my description, there is an example URL from Google Fonts. Works fine everywhere except Firefox 39.0.3 curl -v http://fonts.gstatic.com/s/cinzel/v4/i2BwM1Eq2JyiNOY_VrkubOvvDin1pK8aKteLpeZ5c0A.woff2 > /dev/null shows "Access-Control-Allow-Origin: *" Firefox 39.0.3 shows a connection error and the "bad URI or cross-site access not allowed.." message in the console log.
>Please have a look at my description, there is an example URL from Google Font There is a URL with a link to a google font but we always want a test URL in a bug report that shows the bug directly and in this case a URL or attached html file that embeds the font.
Interesting, today, the bug does not occur anymore. Then I assume it was not a Firefox problem but a Google Fonts bug, because they deliver different fonts for each browser. Probably the one they delivered for Firefox was incorrect. Thanks anyway, this problem is resolved now.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.