[csswg-drafts] [css-fonts-3] [css-fonts-4] Font fetching in anonymous mode makes it impossible to link to fonts behind authentication from Nagy Attila Gábor via GitHub on 2018-10-04 (public-css-archive@w3.org from October 2018)

From: Nagy Attila Gábor via GitHub <sysbot+gh@w3.org>
Date: Thu, 04 Oct 2018 08:48:12 +0000
To: public-css-archive@w3.org
Message-ID: <issues.opened-366683425-1538642891-sysbot+gh@w3.org>

mrbig has just created a new issue for https://github.com/w3c/csswg-drafts:

== [css-fonts-3] [css-fonts-4] Font fetching in anonymous mode makes it impossible to link to fonts behind authentication ==
This issue is to discuss this section in the specification:
https://www.w3.org/TR/css-fonts-3/#font-fetching-requirements
https://www.w3.org/TR/css-fonts-4/#font-fetching-requirements

>  When fetching [fonts], user agents must use "Anonymous" mode

This is implemented in both FF and Chrome in a way, that no user specific headers including the Authorization headers are sent when requesting fonts from a different domain.

The leads to weird problems in some rare cases. Let's consider an application that is protected by basic authentication and serves css and font files from a cdn, like this:

www.example.com/index.html  - links to css:
    cdn.example.com/example.css  - links to font:
    cdn.example.com/example.ttf

Now this happens when user visits www.example.com:

1. Auth dialog appers for www.example.com realm, then index.html is loaded
1. Auth dialog appers for cdn.exmaple.com realm, then example.css is loaded
1. Browser starts a CORS request for the font file, but without the authorization header => loading the font fails with 401 status code

Even if the user opens the font file directly in a browser tab and enters the correct credentials when returning to www.example.com the font won't load because of the request is anonymized in that context.

A few more discussions around this issue I've found online:
https://bugs.chromium.org/p/chromium/issues/detail?id=516192
https://stackoverflow.com/questions/34811208/my-css-cant-load-web-font-woff-files-located-on-an-other-httpsauth-server-cors

Please let me know if this behavior was intentional in the spec, or make it clear if current implementations aren't working as excepted.

Thank you

Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/3194 using your GitHub account

Received on Thursday, 4 October 2018 08:48:14 UTC