SAP: Font CORS no cookies sent in Chrome
Reported by
thorsten...@sap.com,
Jul 28 2017
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Example URL: http://host2-netlabs.rhcloud.com/ Steps to reproduce the problem: I’ve created a reproduction available to SAP-externals. (externally hosted & no authentication required) Simply open this link in Chrome or Firefox to reproduce the issue: http://host2-netlabs.rhcloud.com/ The cookies are only missing if the font is loaded from a different host. If the fonts come from the same host the cookies are sent as well. Use this link and check the network tab to see the cookie: http://host1-netlabs.rhcloud.com/ The two websites will load two font files from host1. The second font file will only be returned by the server-side request handler, if a cookie is set (any cookie will be accepted, for the sake of simplicity). see description in attachment "Chrome_icon_font_issue_description.docx" What is the expected behavior? Icon-Font is requested with cookie in request header What went wrong? Cookie is not sent with request header and therefore some reverse proxies doesn't provide the icon-font. Did this work before? N/A Chrome version: 59.0.3071.115 Channel: stable OS Version: 10.0 Flash Version: Related bug reports: We found a similar issue description in the last comment of this bug: https://bugs.chromium.org/p/chromium/issues/detail?id=518121#c13 However, it seems it wasn’t answered and the bug was simply closed. For Firefox, I wasn’t able to find this specific issue description.
,
Jul 28 2017
Certain requests to third party domains don't, by default, include cookie, to protect against cross-origin requests. I assume this is expected behavior. Not sure which is the relevant label for uncredentialed requests.
,
Jul 31 2017
This is working as intended. Fonts are loaded in "anonymous" mode [1], which means that credentials are not sent to cross-origin. [1] https://drafts.csswg.org/css-fonts/#font-fetching-requirements |
|||
►
Sign in to add a comment |
|||
Comment 1 by xunji...@chromium.org
, Jul 28 2017Labels: -OS-Windows OS-All
Status: Untriaged (was: Unconfirmed)