Closed
Bug 1294081
Opened 9 years ago
Closed 9 years ago
Access-Control-Allow-Origin header is parsed incorrectly
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: david, Unassigned)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20160810004000
Steps to reproduce:
We have a page on production that is requesting a tff font on a different subdomain:
http://stream.golfchannel.com/golf
The url to the font is:
http://www.golfchannel.com/public/vendor/Ionicons/fonts/ionicons.ttf?v=2.0.0
Actual results:
In Firefox 50.0a this error is thrown in the console:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://www.golfchannel.com/public/vendor/Ionicons/fonts/ionicons.ttf?v=2.0.0. (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘(null)’).
In Firefox 48 this error is thrown in the console:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://www.golfchannel.com/public/vendor/Ionicons/fonts/ionicons.ttf?v=2.0.0. (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*, *').
If I find the request in Network and copy the Response Headers (in either version of Firefox) I get:
HTTP/1.1 200 OK
Server: nginx/1.10.1
Content-Type: application/x-font-ttf
Last-Modified: Tue, 09 Aug 2016 21:52:52 GMT
Etag: "1b0a0de084905946a20300ca8c354865dec46764-gzip"
Accept-Ranges: bytes
Content-Encoding: gzip
Content-Length: 109548
Expires: Wed, 10 Aug 2016 15:09:19 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Wed, 10 Aug 2016 15:09:19 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *, *
Vary: Accept-Encoding, User-Agent
Expected results:
If I copy the request as curl and execute it with the -I flag I get the following response:
$ curl 'http://www.golfchannel.com/public/vendor/Ionicons/fonts/ionicons.ttf?v=2.0.0' -H 'Host: www.golfchannel.com' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:48.0) Gecko/20100101 Firefox/48.0' -H 'Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'DNT: 1' -H 'Referer: http://www.golfchannel.com/public/vendor/Ionicons/css/ionicons.min.css?v=1470779572000' -H 'Origin: http://stream.golfchannel.com' -H 'Connection: keep-alive' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' -I
HTTP/1.1 200 OK
Server: nginx/1.10.1
Content-Type: application/x-font-ttf
Last-Modified: Tue, 09 Aug 2016 21:52:52 GMT
ETag: "1b0a0de084905946a20300ca8c354865dec46764-gzip"
Accept-Ranges: bytes
Content-Encoding: gzip
Content-Length: 109548
access-control-allow-origin: *
Expires: Wed, 10 Aug 2016 14:59:25 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Wed, 10 Aug 2016 14:59:25 GMT
Connection: keep-alive
Vary: Accept-Encoding
access-control-allow-origin: *
Vary: User-Agent
It appears that Firefox is parsing the "access-control-allow-origin" incorrectly.
Oh, I can now see from the curl response that we are responding with two access-control-allow-origin: * headers. We'll attempt to remove one to see if that resolves the problem, but the error message could have been more helpful.
Removing the duplicate header resolved the problem.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•