Closed Bug 1462908 Opened 6 years ago Closed 6 years ago

[CORS] Custom font from CSS within parent folder subfolder isn't loaded in local

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
60 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 760436

People

(Reporter: extremraym, Unassigned)

Details

(4 keywords, Whiteboard: [DUPEME to bug 760436?]) 

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180516032328

Steps to reproduce:

On local usage, I don't succeed to load a custom font (@font-face) from a parent folder subfolder CSS file (relative to the HTML file).

Win 10 x64. Firefox 59.


Actual results:

Custom font isn't loaded.

You can test it by yourself:
https://github.com/X-Raym/firefox-css-from-parent-subfolder-font-face-bug

1. Download the zip
2. Open index.html: the custom font icon is loaded
3. Open sub-folder.html: the custom font icon isn't loaded. It is on Chrome.

Note that 3. work on online. It is only on local usage that there is a problem.


Expected results:

The icons should have been loaded, as it is from the online version of the pages.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
20180518222751

I'm positive I've seen this reported before, but I can't find the report in question.


Browser Console output:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at file:///C:/Users/Gingerbread/Desktop/firefox-css-from-parent-subfolder-font-face-bug-master/font/fontello.woff?73082120. (Reason: CORS request not http).
Has STR: --- → yes
Component: Untriaged → DOM: Security
Keywords: parity-chrome, parity-edge, parity-ie, testcase
Product: Firefox → Core
Summary: Custom font from CSS within parent folder subfolder isn't loaded in local → [CORS] Custom font from CSS within parent folder subfolder isn't loaded in local
Whiteboard: [DUPEME?]
@Gingerbread Man 
Thanks for having taken a look !

At least we now have a detailed reports with files to test and screenshots :)

Do you think it is a bug or a security limitation that shouldn't be change?
(In reply to Gingerbread Man from comment #1)
> I'm positive I've seen this reported before, but I can't find the report in
> question.

I think bug 760436 is the one I was thinking of. It notes you can enter about:config into the address bar and set security.fileuri.strict_origin_policy to false to get the behavior of other browsers.

(In reply to Daniel Veditz [:dveditz] from bug 539050, comment 2)
> If anything we're going to make the file restrictions /more/ strict to match
> Chrome.
(In reply to Jonathan Kew (:jfkthame) from bug 760436, comment 23)
> I believe that is behaving as expected. By default, only files in or under
> the same directory are considered same-origin for "file:" URLs

:dveditz any change in the above opinion, now that Firefox behavior differs from major browsers?
Flags: needinfo?(dveditz)
Whiteboard: [DUPEME?] → [DUPEME to bug 760436?]
@Gingerbread Man
Thanks for the detailed explanation and for the about:config trick !
It is surprising though that it doesn't works like others browsers, especially considering FireFox is good for handling local files (its Fetch API integration does supports Local Files out of the box, very handy, and it is the only browsers to allow allow that - though, this Fetch API thing is another object).

But if for security reason, linking fonts in local like that is too senstitive then indeed it is something to avoid.
This _is_ a dupe of bug 760436. One could argue that that bug should be reopened and that we could make a special exemption to the CORS check in the font code for local files rather than failing. I don't know how the font folks feel about that.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(dveditz)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.