Closed Bug 1192422 Opened 9 years ago Closed 9 years ago

Firefox 39.0.3 breaks CORS

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
39 Branch
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: clemensgru, Unassigned)

Details

(Keywords: regression) 

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36

Steps to reproduce:

Updated to Firefox 39.0.3 on OSX and tried to visit a website which is using Google Fonts.

The security bugfix in 39.0.3 which was also related to CORS according to the release notes, might have caused this side-effect/bug.


Actual results:

The fonts were not displayed correctly, in the log I found: downloadable font: download failed (font-family: "Cinzel" style:normal weight:normal stretch:normal src index:1): bad URI or cross-site access not allowed source: http://fonts.gstatic.com/s/cinzel/v4/i2BwM1Eq2JyiNOY_VrkubOvvDin1pK8aKteLpeZ5c0A.woff2

It downloads fine in Safari and in Google Chrome.


Expected results:

Should have downloaded the font as the "Access-Control-Allow-Origin:*" response header is set, and used it.
Severity: normal → critical
Component: Untriaged → Security
OS: Unspecified → Mac OS X
Hardware: Unspecified → x86_64
Do you have an example URL that shows the error ?
Severity: critical → normal
Flags: needinfo?(clemensgru)
Keywords: regression
Product: Firefox → Core
Please have a look at my description, there is an example URL from Google Fonts. Works fine everywhere except Firefox 39.0.3

curl -v http://fonts.gstatic.com/s/cinzel/v4/i2BwM1Eq2JyiNOY_VrkubOvvDin1pK8aKteLpeZ5c0A.woff2 > /dev/null shows "Access-Control-Allow-Origin: *"

Firefox 39.0.3 shows a connection error and the "bad URI or cross-site access not allowed.." message in the console log.
Flags: needinfo?(clemensgru)
>Please have a look at my description, there is an example URL from Google Font
There is a URL with a link to a google font but we always want a test URL in a bug report that shows the bug directly and in this case a URL or attached html file that embeds the font.
Interesting, today, the bug does not occur anymore.

Then I assume it was not a Firefox problem but a Google Fonts bug, because they deliver different fonts for each browser. Probably the one they delivered for Firefox was incorrect.

Thanks anyway, this problem is resolved now.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.