Closed Bug 1566404 Opened 5 years ago Closed 5 years ago

CVE-2019-11730 causes icon fonts & web fonts to break for HTML files that are run locally

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
68 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1565942

People

(Reporter: slegersjohn, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36

Steps to reproduce:

Open an HTML file on file:/// that uses @font-face with a relative URL.

Actual results:

Due to the change to Firefox 68 described in CVE-2019-11730, icon fonts and web fonts no longer load when I run an HTML file without a web server.

Expected results:

HTML files that are run on file:/// without a webserver should server web fonts reliably, just like files that are run on a web server.

The suggestion to "simply make sure you use HTTPS URLs" when using @font-face is fine and all for files that are on a server, but what about HTML files that are supposed to be run locally?

For example, some of the HTML files I work on are used as documentation for Java products. These products are shipped to our customers and our customers are expected to open these HTML files on their laptops and desktops (without running a web server) if they want to learn how to use our products.

The only way I can think of to keep using our Web Fonts (which includes some icon fonts) is to embed the fonts in my CSS files instead of linking them externally. And this is bad for eg. maintainability.

Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core
Depends on: 1565942
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
No longer depends on: 1565942
You need to log in before you can comment on or make changes to this bug.