Difficulty with font-face cross-domain restrictions
Hi folks - When I was griping to my friend that works at Mozilla about my font-face woes, I was pointed to this bug https://bugzilla.mozilla.org/show_bug.cgi?id=604421 which ends in a suggestion to post in the forum. So, here I am, and hopefully this is the right place to share my experience with cross-domain fonts and Firefox. I am a frontend developer at Coursera, and we use custom fonts in a few ways: - we have custom fonts for our serif and sans-serif that we use throughout our websites (www.coursera.org, class.coursera.org, authentication.coursera.org, blog.coursera.org, etc) - we use Font Awesome, an icon font, also throughout our websites When we develop our website locally, we serve our custom fonts from our local machines. When we deploy to live, we host our fonts on CloudFront (an Amazon S3-backed service for static asset delivery), and they are served from a domain like 34234234.coursera.org. In Chrome, this causes no issues, and we are happy. In Firefox, however, we keep getting bitten by the cross-domain fonts policy. When we first moved to CloudFront and discovered the issue, we rushed to read up on what header we could set, and so we used www.coursera.org. After waiting a few hours to invalidate the CloudFront cache, we realized that we have other domains, and we tried various syntaxes for getting it to be accepted at anything off our coursera.org domain. Eventually we gave up and decided, screw it, let's just use *. So, that was about a day of our time. Unfortunately, it didn't end there, and in total, we've spent about 3 days trying to get our fonts working in Firefox across all of our sites. The problem is that our subdomain setup and cache headers locally does not exactly match the subdomain setup on our staging servers which does not exactly match the subdomain setup on our live servers, and that means that every time something changes about our setup, we are liable to discover only once live that we've introduced an issue with our fonts in Firefox, and we have to rush to fix it and invalidate our caches and get our users to clear theirs. You could argue that we should be prepared for this, and make our local environment better match live, but the thing is, that we don't run into this problem for anything besides fonts, and well, given that Chrome doesn't enforce the policy, it just seems silly and is quite frustrating to us. It feels like the developers of the world should be able to spend their time doing more productive things, not futzing with headers all day to get an arrow to show up properly. I hope that my explanation helps with understanding the developer experience of someone trying to use font-face on Firefox. (And IE, but we have more users in FF, s... :) Thank you for listening! ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Difficulty with font-face cross-domain restrictions
One reason behind this is: what if you were using a font that wasn't free, but had a license that required you to prevent deep-linking of the font from other sites to where it's hosted on your site? Firefox and IE give you a way to do that. Chrome doesn't. In this case, it's a free font so it doesn't matter, but of course the browser doesn't know that ... unless you tell us via Access-Control-Allow-Origin:*. BTW it's not clear to me why after adding Access-Control-Allow-Origin:*, you still had problems. I assume it's an arcane detail of Web development I'm blissfully ignorant of :-). Rob -- Jesus called them together and said, “You know that the rulers of the Gentiles lord it over them, and their high officials exercise authority over them. Not so with you. Instead, whoever wants to become great among you must be your servant, and whoever wants to be first must be your slave — just as the Son of Man did not come to be served, but to serve, and to give his life as a ransom for many.” [Matthew 20:25-28] ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Difficulty with font-face cross-domain restrictions
Perhaps then, it could be a setting/header that we could opt-in-to, instead of having to opt out of, i.e., if I put the header there, then you obey it, but otherwise, you don't care? Why we still had problems after adding *: we have multiple codebases and have gone through a few iterations of how we serve assets for them, so each time we did it, we had to set up the correct headers again (you would think we would have learnt from the first time, but it's easy to forget these things), and since we keep accidentally starting with non *, we then have to invalidate the cache on the CloudFront servers for those files, which takes a few hours. On Sat, Jan 5, 2013 at 2:16 AM, Robert O'Callahan rob...@ocallahan.orgwrote: One reason behind this is: what if you were using a font that wasn't free, but had a license that required you to prevent deep-linking of the font from other sites to where it's hosted on your site? Firefox and IE give you a way to do that. Chrome doesn't. In this case, it's a free font so it doesn't matter, but of course the browser doesn't know that ... unless you tell us via Access-Control-Allow-Origin:*. BTW it's not clear to me why after adding Access-Control-Allow-Origin:*, you still had problems. I assume it's an arcane detail of Web development I'm blissfully ignorant of :-). Rob -- Jesus called them together and said, “You know that the rulers of the Gentiles lord it over them, and their high officials exercise authority over them. Not so with you. Instead, whoever wants to become great among you must be your servant, and whoever wants to be first must be your slave — just as the Son of Man did not come to be served, but to serve, and to give his life as a ransom for many.” [Matthew 20:25-28] ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform