Firefox 39.0.3 breaks CORS

RESOLVED INVALID

Status

()

Core
Security
RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: clemensgru, Unassigned)

Tracking

({regression})

39 Branch
x86_64
Mac OS X
regression
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36

Steps to reproduce:

Updated to Firefox 39.0.3 on OSX and tried to visit a website which is using Google Fonts.

The security bugfix in 39.0.3 which was also related to CORS according to the release notes, might have caused this side-effect/bug.


Actual results:

The fonts were not displayed correctly, in the log I found: downloadable font: download failed (font-family: "Cinzel" style:normal weight:normal stretch:normal src index:1): bad URI or cross-site access not allowed source: http://fonts.gstatic.com/s/cinzel/v4/i2BwM1Eq2JyiNOY_VrkubOvvDin1pK8aKteLpeZ5c0A.woff2

It downloads fine in Safari and in Google Chrome.


Expected results:

Should have downloaded the font as the "Access-Control-Allow-Origin:*" response header is set, and used it.
(Reporter)

Updated

3 years ago
Severity: normal → critical
Component: Untriaged → Security
OS: Unspecified → Mac OS X
Hardware: Unspecified → x86_64
Do you have an example URL that shows the error ?
Severity: critical → normal
Component: Security → Security
Flags: needinfo?(clemensgru)
Keywords: regression
Product: Firefox → Core
(Reporter)

Comment 2

3 years ago
Please have a look at my description, there is an example URL from Google Fonts. Works fine everywhere except Firefox 39.0.3

curl -v http://fonts.gstatic.com/s/cinzel/v4/i2BwM1Eq2JyiNOY_VrkubOvvDin1pK8aKteLpeZ5c0A.woff2 > /dev/null shows "Access-Control-Allow-Origin: *"

Firefox 39.0.3 shows a connection error and the "bad URI or cross-site access not allowed.." message in the console log.
Flags: needinfo?(clemensgru)
>Please have a look at my description, there is an example URL from Google Font
There is a URL with a link to a google font but we always want a test URL in a bug report that shows the bug directly and in this case a URL or attached html file that embeds the font.
(Reporter)

Comment 4

3 years ago
Interesting, today, the bug does not occur anymore.

Then I assume it was not a Firefox problem but a Google Fonts bug, because they deliver different fonts for each browser. Probably the one they delivered for Firefox was incorrect.

Thanks anyway, this problem is resolved now.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.