Web fonts blocked as cross origin requests

doy · 2014-07-23T03:32:28.525Z

Using Firefox 30 here - this is how the site is rendered for me: http://paste.tozt.net/2014-07-22zwujSrI6-3rEpBrigpQ.png

In the JavaScript console, I see this when loading pages:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://discourse-cdn-sjc1.com/business6/assets/fontawesome-webfont-d070152e08af8f018c788909bbcbafc0.woff?http://discuss.rust-lang.org&amp;1&v=4.0.4. This can be fixed by moving the resource to the same domain or enabling CORS.

downloadable font: download failed (font-family: "FontAwesome" style:normal weight:normal stretch:normal src index:1): bad URI or cross-site access not allowed
source: https://discourse-cdn-sjc1.com/business6/assets/fontawesome-webfont-d070152e08af8f018c788909bbcbafc0.woff?http://discuss.rust-lang.org&amp;1&v=4.0.4

Is there anything that can be done to fix this?

cmr · 2014-07-23T03:44:28.145Z

@neil, @codinghorror: CDN problems?

I’m using firefox nightly and haven’t noticed any issues…

P1start · 2014-07-23T08:54:36.428Z

This effects me too—FontAwesome doesn’t load, and most avatars don’t load either (although if I click on broken avatars they sometimes get fixed, so I think it’s unrelated). Using Firefox 31 here. I get the same messages in the console, too. (I only just realised that I haven’t updated Firefox (Nightly) for months o_O—I’m updating it now, so I’ll see if that fixes it.)

Edit: I updated to Firefox Nightly 33 and I’m still getting this problem.

tbu · 2014-07-23T11:05:42.208Z

I’m only getting this with HTTPS Everywhere enabled.

doy · 2014-07-23T13:21:47.051Z

Aha, I’m also using HTTPS Everywhere, and disabling that fixes it. Not entirely sure what’s going on though, because neither this site nor the fonts are being loaded as https.

P1start · 2014-07-24T09:45:27.537Z

Yep, disabling HTTPS Everywhere for Fastly fixes the problem. (The avatars are loading normally, too.) Thanks, @tbu!

mcpherrinm · 2014-11-25T23:51:59.357Z

FWIW: There is an open HTTPS Anywhere bug on this.

Apparently we can work around this by unconditionally loading the fastly resources over https, instead of http. It looks like we use protocol-relative URLs right now. I don’t know if this is configurable per-instance.

github.com/EFForg/https-everywhere

Issue: Causes issue with Access-Control-Allow-Origin:*

opened by danielchatfield on 2014-01-02

Browser: chrome
Example (may be fixed soon though Fixed by using https directly): http://yeoman.io/community-generators.html
Page tries to load http://yeoman-generator-list.herokuapp.com/ which results in: XMLHttpRequest...

bug

system · 2019-03-25T08:22:39.841Z

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.