Cross site access to fonts failing



7 years ago
7 years ago


(Reporter: KWierso, Assigned: wbamberg)


Firefox Tracking Flags

(Not tracked)




(1 attachment)



7 years ago
Every time I load a page of the SDK's docs, I see this error logged to the error console:

Error: downloadable font: download failed (font-family: "MetaBlack" style:normal weight:bold stretch:normal src index:0): bad URI or cross-site access not allowed
Source File:
Line: 0
Source Code:
@font-face {   font-family: "MetaBlack";   font-style: normal;   font-weight: bold;   src: url("") format("woff"); }
This is correct behavior; "" and "" are different origins. Cross-site access to downloadable fonts is not allowed by default (see

If the site hosting the fonts wants to allow cross-site access (and if the relevant font license permits this), it needs to set the appropriate CORS headers to tell the browser it is allowed.
Last Resolved: 7 years ago
Resolution: --- → INVALID

Comment 2

7 years ago
Thanks for the additional information. But I do think this is a problem. I stole this code from at the time we moved the SDK docs there, to use the same typeface for the site title that AMO does, and it worked for a while and now doesn't, now it falls back on . I have been meaning to investigate it but haven't had the time.

Note that AMO still works properly, so I suppose we should figure out what that is doing.
Resolution: INVALID → ---
From comparing the requests made when loading your page with those made by AMO, it appears that the resources have moved and are now served from (not .com); you're getting an "HTTP/1.1 301 Moved Permanently" response to the GET request.

So if there's a bug here, it is that @font-face requests don't follow HTTP 301 redirections as would be expected.

A workaround for the SDK docs would be to update the stylesheet to specify the new location of the font. (I see that it comes with "Access-Control-Allow-Origin: *", so there is not actually any restriction on loading it cross-origin.)

Comment 4

7 years ago
P3 for fixing the docs to avoid the problem completely.
I'll file a platform bug about the redirect problem.
Priority: -- → P3

Comment 5

7 years ago
(In reply to Wes Kocher (:KWierso) (Jetpack Bugmaster) from comment #4)
> I'll file a platform bug about the redirect problem.

Actually, I just found bug 616867, which was closed as invalid, covering this exact same issue.

So really, we just need to get the docs to point to the correct file.

(It'd be nice to have the redirect response headers include the Access-Control-Allow-Origin header, but it probably wouldn't really be worth it.)

Comment 6

7 years ago
Created attachment 569807 [details] [diff] [review]
change @font-face src target
Assignee: nobody → wbamberg
Attachment #569807 - Flags: review?(myk)
Attachment #569807 - Flags: review?(myk) → review+

Comment 7

7 years ago
Thanks Myk!
Last Resolved: 7 years ago7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.