Access-Control-Allow-Origin header is parsed incorrectly

RESOLVED INVALID

Status

()

RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: david, Unassigned)

Tracking

50 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20160810004000

Steps to reproduce:

We have a page on production that is requesting a tff font on a different subdomain:
http://stream.golfchannel.com/golf

The url to the font is:
http://www.golfchannel.com/public/vendor/Ionicons/fonts/ionicons.ttf?v=2.0.0



Actual results:

In Firefox 50.0a this error is thrown in the console:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://www.golfchannel.com/public/vendor/Ionicons/fonts/ionicons.ttf?v=2.0.0. (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘(null)’).

In Firefox 48 this error is thrown in the console:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://www.golfchannel.com/public/vendor/Ionicons/fonts/ionicons.ttf?v=2.0.0. (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*, *').

If I find the request in Network and copy the Response Headers (in either version of Firefox) I get:
HTTP/1.1 200 OK
Server: nginx/1.10.1
Content-Type: application/x-font-ttf
Last-Modified: Tue, 09 Aug 2016 21:52:52 GMT
Etag: "1b0a0de084905946a20300ca8c354865dec46764-gzip"
Accept-Ranges: bytes
Content-Encoding: gzip
Content-Length: 109548
Expires: Wed, 10 Aug 2016 15:09:19 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Wed, 10 Aug 2016 15:09:19 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *, *
Vary: Accept-Encoding, User-Agent



Expected results:

If I copy the request as curl and execute it with the -I flag I get the following response:
$ curl 'http://www.golfchannel.com/public/vendor/Ionicons/fonts/ionicons.ttf?v=2.0.0' -H 'Host: www.golfchannel.com' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:48.0) Gecko/20100101 Firefox/48.0' -H 'Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'DNT: 1' -H 'Referer: http://www.golfchannel.com/public/vendor/Ionicons/css/ionicons.min.css?v=1470779572000' -H 'Origin: http://stream.golfchannel.com' -H 'Connection: keep-alive' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' -I
HTTP/1.1 200 OK
Server: nginx/1.10.1
Content-Type: application/x-font-ttf
Last-Modified: Tue, 09 Aug 2016 21:52:52 GMT
ETag: "1b0a0de084905946a20300ca8c354865dec46764-gzip"
Accept-Ranges: bytes
Content-Encoding: gzip
Content-Length: 109548
access-control-allow-origin: *
Expires: Wed, 10 Aug 2016 14:59:25 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Wed, 10 Aug 2016 14:59:25 GMT
Connection: keep-alive
Vary: Accept-Encoding
access-control-allow-origin: *
Vary: User-Agent

It appears that Firefox is parsing the "access-control-allow-origin" incorrectly.
(Reporter)

Updated

2 years ago
OS: Unspecified → All
Hardware: Unspecified → All
(Reporter)

Comment 1

2 years ago
Oh, I can now see from the curl response that we are responding with two access-control-allow-origin: * headers. We'll attempt to remove one to see if that resolves the problem, but the error message could have been more helpful.
(Reporter)

Comment 2

2 years ago
Removing the duplicate header resolved the problem.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.