Closed Bug 1294081 Opened 9 years ago Closed 9 years ago

Access-Control-Allow-Origin header is parsed incorrectly

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
50 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: david, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:50.0) Gecko/20100101 Firefox/50.0 Build ID: 20160810004000 Steps to reproduce: We have a page on production that is requesting a tff font on a different subdomain: http://stream.golfchannel.com/golf The url to the font is: http://www.golfchannel.com/public/vendor/Ionicons/fonts/ionicons.ttf?v=2.0.0 Actual results: In Firefox 50.0a this error is thrown in the console: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://www.golfchannel.com/public/vendor/Ionicons/fonts/ionicons.ttf?v=2.0.0. (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘(null)’). In Firefox 48 this error is thrown in the console: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://www.golfchannel.com/public/vendor/Ionicons/fonts/ionicons.ttf?v=2.0.0. (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*, *'). If I find the request in Network and copy the Response Headers (in either version of Firefox) I get: HTTP/1.1 200 OK Server: nginx/1.10.1 Content-Type: application/x-font-ttf Last-Modified: Tue, 09 Aug 2016 21:52:52 GMT Etag: "1b0a0de084905946a20300ca8c354865dec46764-gzip" Accept-Ranges: bytes Content-Encoding: gzip Content-Length: 109548 Expires: Wed, 10 Aug 2016 15:09:19 GMT Cache-Control: max-age=0, no-cache Pragma: no-cache Date: Wed, 10 Aug 2016 15:09:19 GMT Connection: keep-alive Access-Control-Allow-Origin: *, * Vary: Accept-Encoding, User-Agent Expected results: If I copy the request as curl and execute it with the -I flag I get the following response: $ curl 'http://www.golfchannel.com/public/vendor/Ionicons/fonts/ionicons.ttf?v=2.0.0' -H 'Host: www.golfchannel.com' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:48.0) Gecko/20100101 Firefox/48.0' -H 'Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'DNT: 1' -H 'Referer: http://www.golfchannel.com/public/vendor/Ionicons/css/ionicons.min.css?v=1470779572000' -H 'Origin: http://stream.golfchannel.com' -H 'Connection: keep-alive' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' -I HTTP/1.1 200 OK Server: nginx/1.10.1 Content-Type: application/x-font-ttf Last-Modified: Tue, 09 Aug 2016 21:52:52 GMT ETag: "1b0a0de084905946a20300ca8c354865dec46764-gzip" Accept-Ranges: bytes Content-Encoding: gzip Content-Length: 109548 access-control-allow-origin: * Expires: Wed, 10 Aug 2016 14:59:25 GMT Cache-Control: max-age=0, no-cache Pragma: no-cache Date: Wed, 10 Aug 2016 14:59:25 GMT Connection: keep-alive Vary: Accept-Encoding access-control-allow-origin: * Vary: User-Agent It appears that Firefox is parsing the "access-control-allow-origin" incorrectly.
OS: Unspecified → All
Hardware: Unspecified → All
Oh, I can now see from the curl response that we are responding with two access-control-allow-origin: * headers. We'll attempt to remove one to see if that resolves the problem, but the error message could have been more helpful.
Removing the duplicate header resolved the problem.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.