New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 764736 link

Starred by 2 users
Status: Duplicate
Merged: issue 411338
Owner:
ksakamoto@chromium.org
Closed: Oct 2017
Cc:
mkwst@chromium.org
hdodda@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Chrome not sending Authorization header for cross domain font requests

Reported by b...@collage.co, Sep 13 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36

Example URL:

Steps to reproduce the problem:
1. Protect website via HTTP basic
2. Host fonts on another domain (like a CDN)
3. Open webpage
4. Enter HTTP basic password for primary domain
5. Enter http basic for secondary CDN domain

What is the expected behavior?
Chrome sends authorization header for font requests coming from CDN domain

What went wrong?
No authorization header was sent

Did this work before? N/A 

Chrome version: 61.0.3163.79  Channel: stable
OS Version: OS X 10.12.5
Flash Version: 

Seems to be related to this closed bug. I commented there but no one was picking up on it. 

https://bugs.chromium.org/p/chromium/issues/detail?id=516192
Screen Shot 2017-09-11 at 3.20.09 PM.png
232 KB View Download

Comment 1 by mmenke@chromium.org, Sep 13 2017

Cc: mkwst@chromium.org
Components: -Internals>Network Blink>SecurityFeature
I assume cross-origins requests for fonts have a credentials mode of "omit" (Which won't include cookies or credentials), so this isn't a network issue, but related to Blink's security logic..

Comment 2 by hdodda@chromium.org, Sep 19 2017

Cc: hdodda@chromium.org
Labels: Needs-Traige-M61 Needs-Feedback
Thanks for reporting the issue.

@bob-- Could you please provide us the sample url/sample test file to reproduce the issue and possible help us with the screencast of the steps , for better understanding.

Thanks!

Comment 3 by b...@collage.co, Oct 4 2017 

I cant provide you the http basic credentials we are using at the moment because we are in the middle of a translation cycle and I won't be able to rotate them but I'll try to explain the issue in more details. 

We have a website hosted on a primary domain. The assets served from a CDN url that fronts the assets hosted on the primary domain. The Authorization header is forwarded from AWS Clourfront to the primary domain in order to be able request the asset. CORS headers are set up on the assets so cross site font requests should work. 

Everything works fine for scripts and images but the Authorization header is not sent for the font request.
original_request.png
256 KB View Download
cdn_script_request.png
401 KB View Download
cdn_font_request.png
244 KB View Download
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 4 2017

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "hdodda@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by jmukthavaram@chromium.org, Oct 5 2017

Labels: TE-NeedsTraige-help
As per C#3, Seems it is out of scope from TE end, adding TE-NeedsTraige-help label to move this out of our triaging bucket.

Could someone from dev team please take a look into this issue.
Thanks..!

Comment 6 by jochen@chromium.org, Oct 5 2017

Components: Blink>Fonts
Labels: OS-Android OS-Chrome OS-Linux OS-Windows
Owner: ksakamoto@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 7 by ksakamoto@chromium.org, Oct 5 2017

Components: -Blink>Fonts Blink>WebFonts
Mergedinto: 411338
Status: Duplicate (was: Assigned)
This is working as intended. Web fonts are fetched with "Anonymous" CORS mode [1], meaning that credentials are not sent cross origin.

[1] https://www.w3.org/TR/css-fonts-3/#font-fetching-requirements

Sign in to add a comment