Web fonts blocked as cross origin requests


#1

Using Firefox 30 here - this is how the site is rendered for me: http://paste.tozt.net/2014-07-22zwujSrI6-3rEpBrigpQ.png

In the JavaScript console, I see this when loading pages:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://discourse-cdn-sjc1.com/business6/assets/fontawesome-webfont-d070152e08af8f018c788909bbcbafc0.woff?http://discuss.rust-lang.org&1&v=4.0.4. This can be fixed by moving the resource to the same domain or enabling CORS.
downloadable font: download failed (font-family: "FontAwesome" style:normal weight:normal stretch:normal src index:1): bad URI or cross-site access not allowed
source: https://discourse-cdn-sjc1.com/business6/assets/fontawesome-webfont-d070152e08af8f018c788909bbcbafc0.woff?http://discuss.rust-lang.org&1&v=4.0.4

Is there anything that can be done to fix this?


#2

@neil, @codinghorror: CDN problems?

I’m using firefox nightly and haven’t noticed any issues…


#3

This effects me too—FontAwesome doesn’t load, and most avatars don’t load either (although if I click on broken avatars they sometimes get fixed, so I think it’s unrelated). Using Firefox 31 here. I get the same messages in the console, too. (I only just realised that I haven’t updated Firefox (Nightly) for months o_O—I’m updating it now, so I’ll see if that fixes it.)

Edit: I updated to Firefox Nightly 33 and I’m still getting this problem. :frowning:


#4

I’m only getting this with HTTPS Everywhere enabled.


#5

Aha, I’m also using HTTPS Everywhere, and disabling that fixes it. Not entirely sure what’s going on though, because neither this site nor the fonts are being loaded as https.


#6

Yep, disabling HTTPS Everywhere for Fastly fixes the problem. (The avatars are loading normally, too.) Thanks, @tbu!


#7

FWIW: There is an open HTTPS Anywhere bug on this.

Apparently we can work around this by unconditionally loading the fastly resources over https, instead of http. It looks like we use protocol-relative URLs right now. I don’t know if this is configurable per-instance.