When my website first time loaded the fonts are not loaded. I'm receiving following errors
Font from origin 'https://locohop.com' has been blocked from loading by
Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin'
header is present on the requested resource. Origin 'http://locohop.com'
is therefore not allowed access.
I lots off googling and this question is already asked on stackoverflow
I follow all the steps given in above question but fonts are not worked correctly. and
I am using AWS EC2 instance
Here is my CORS configuration
<CORSConfiguration>
<CORSRule>
<AllowedOrigin>https://www.locohop.com</AllowedOrigin>
<AllowedOrigin>http://www.locohop.com</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>Content-*</AllowedHeader>
<AllowedHeader>Host</AllowedHeader>
</CORSRule>
</CORSConfiguration>
I don't know why i am getting this error? your help is greatly appreciated.
Thanks.
You need to create a CORS policy in your .htacess
Header add Access-Control-Allow-Origin "locohop.com"
Related
I have an issue on a Wordpress website in which the Google Maps doesn't load on Firefox and Safari specifically. The map shows blank and a message Loading map...that never ends on those 2 browsers.
This curious message in yellow is displayed on the browser on Google Chrome:
jquery.min.js?ver=1.11.1:4 Cross-Origin Read Blocking (CORB) blocked cross-origin response https://github.com/googlemaps/js-map-label/blob/gh-pages/src/maplabel.js?_=XXXXXXXXXX with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.
and in Firefox it displays the following message also as a yellow alert:
Loading failed for the <script> with source “https://github.com/googlemaps/js-map-label/blob/gh-pages/src/maplabel.js?_=XXXXXXXXX”.
Any clue on what it only works in Chrome and not in Firefox and Safari? Any clue how to solve it?
Thank you
As from the error, your CSP (Content Security Policy) does not allow you to load scripts from github.com domain.
You can :
Edit your content-security-policy headers to allow https://github.com loading. You can do it from your Apache/Nginx settings, or from PHP (if you use it) but I prefer handling those headers from web-server config.
CSP can also be managed using header meta tag
As you're directly serving from Github, you may need to change the default-src as content-type is text/html. I don't know if the script-src will handle it.
Download and upload the script to your server. Like this, it'll be loaded from the same domain, and should not throw CSP error.
Also:
Using files directly from GitHub is not the best idea. As you can see here and from your console error with MIME type text/html, Github serve your JS file as text/html instead of application/javascript.
It would be better to use a proper CDN (if a CDN serving your file exist), or store the file on your server.
I recently implemented a Asp.Net WebApi and deployed it successfully. I included the Cors library so that this API can be used from any network.
First run through, it works correctly, I can see that the header is set and did a test on test-cors.org.
A colleague of mine, says that he does not get the Access-Control-Allow-Origin header, as if Chrome is stripping it out? When using a different browser, Firefox or Internet Explorer, the header is there.
Has anyone come across this before?
Any help is appreciated. Thanks!
I want to load Fontawesome from a CDN but I get
failed cross-origin request. Resource access is restricted
I know that to fix this a HTTP header should be added, but is there any way to avoid doing this?
I tried replacing
'../font/fontawesome-webfont.eot?v=3.2.0')
with full urls but it didnt help for some reason. Is there anything that can be done without the header?
You have to create .htaccess file on font folder with this text.
<FilesMatch ".(eot|ttf|svg|otf|woff|woff2)">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
This is browsers’ same-origin policy restrictions http://www.w3.org/TR/css3-fonts/#same-origin-restriction.
If you are using amazon s3 this could help you Amazon S3 CORS (Cross-Origin Resource Sharing) and Firefox cross-domain font loading
Your CDN needs to include the Access-Control-Allow-Origin:* header in the response for the font files. See my answer to Font Awesome icons not showing in Chrome, a MaxCDN related Cross-Origin Resource Sharing policy issue
CORS Configuration
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>http://www.your-site.com</AllowedOrigin>
<AllowedOrigin>https://www.your-site.com</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>
<AllowedMethod>DELETE</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
</CORSRule>
</CORSConfiguration>
I thought I have somehow found a solution to the very vexing problem with Firefox and CDN-hosted fonts access, but here comes IE9.
I recently found a very frustrating issue with IE9 caching problem, and chanced upon this blog post (IE9 Redirect Caching Nightmare) which enlightened me more about the actual issue.
I have to admit that I'm not sure whether the above mentioned is actually the issue, but it seems close enough.
Problem:
I have a website set up with 2 domains(base domain and subdomain) pointing to the same server, serving the exact same website which is using a same set of resources from a CDN hosted on Amazon S3, served by Cloudfront.
https://example.com
https://www.example.com
I get these kind of error messages in my IE9 developer tools console when loading fonts from my CSS file using #font-face:
CSS3117: #font-face failed cross-origin request. Resource access is restricted.
This happens when I loaded either of the URL first, then visiting the other second. IE9 is not running in Compatibility Mode. It running is in Document Mode: IE9 Standards.
From my limited understanding of the CORS and the need to set Access-Control-Allow-Origin HTTP header, I have dutifully set it up in S3 CORS policy, and it works perfectly fine with Firefox.
Requests from both domains, will get their respective header when requesting the CDN resource.
It seems that IE9 tried to do some optimization with caching, and cached the redirect too.
This causes a problem as the Access-Control-Allow-Origin header is cached as well. Without sending a request to the CDN server, the Access-Control-Allow-Origin header cannot change for different domains.
So I'm left with a situation where the request is from https://www.example.com and yet the Access-Control-Allow-Origin is https://example.com. This leads to the restricted resource problem with the error message above.
Further look: I did a check with Firefox 19, the above situation actually occurs, but it does not encounter the same strict restriction as IE9. Subdomain (https://www.example.com) requesting information will accept the access-control-allow-origin of the main domain(https://example.com). Chrome (Webkit) doesn't seem to care. I'm at a loss about which browser's behaviour implementation is correct.
With my current settings in the CDN, it seems like Chrome and Firefox, automatically reroutes allwww subdomain requests to the main domain. Only upon multiple attempts of inputing the www subdomain in the address bar, then will Chrome and Firefox obey. IE9 on the other hand, just goes to whichever address is typed in the address bar. IE9 seems to be the odd one out here, but I'm not sure which browser's behaviour is actually correct.
From a usability standpoint, Chrome and Firefox seems to be the "correct" behaviour.
Known Possible Solutions:
Set Access-Control-Allow-Origin header to allow all, i.e. *
Turn off caching in the browser
Redirect one domain to the other
Use query string to differentiate different domain calls for resource
Embed the font into the CSS as data-uri
For solution 1, let's just say I'm paranoid that I just want to set specific domains to allow.
For solution 2, is not optimal if I were to set it for all browsers, also my site has to run on mobile devices with usually less-than-desirable download speeds.
For solution 3, possible, but I'm still curious for solution to deal directly with the IE9 caching issue.
For solution 4, it is very hard to implement especially when the resource is called from #font-face. Does it mean that I'll have to dynamically re-generate the CSS for different domain calls for the different line just to load a font to bypass the issue? Seems to defeat the purpose of CSS itself, and caching resources for that matter.
edit: Stylesheet works, font-loading doesn't.
For Solution 5, it is tedious for maintenance and updating, especially when there are changes to the font files periodically.
Question: Are there any known ways to deal specifically with IE9's redirect caching behaviour in this particular case?
Answers and comments are very much appreciated. Thanks in advance!
Edit: More browser test information.
Solution 1:
Check this question.
Solution 4: rename your CSS file to style.php and use whatever code you need to call the appropriate resource.
Set the content type at the top of the page.
<?php
header("Content-type: text/css; charset: UTF-8");
?>
More info about style.php from Chris Coyier.
We discovered the same weird behavior also in IE10 and IE11.
Resetting the browser cache makes the fonts to be loaded without any problem. Also enabling and disabling compatibility mode.
But when switching to another subdomain, IE does not render the font because request header does not match the response header which is still the URL of the last request. And IE always shows the full URL for even if the definition on the bucket is *.ourdomain.com
So the general issue with allowing cross origin requests to assets like webfonts was solved by adding CORS permissions to the S3 Bucket - that made the webfonts work perfectly in Firefox.
But we still have no idea how to avoid * and tell IE not to cache the response headers.
We're hosting a couple of HTML5 games that utilise the offline.appcache feature letting games cache a lot better.
To serve the .appcache type however, I had to add the mime type to the server (IIS7) so it wouldn't 404. When I do, it refuses to serve any images or CSS files! The error sent to the browser when I request a CSS or image file is:
The page cannot be displayed because an internal server error has occurred.
The extension I am adding is appcache with the MIME type text/cache-manifest.
Any ideas why it's causing this behaviour?
Finally figured it out, I added the mime type on server level not site level. One of the sites already had that mime type defined. Which caused a conflict. But bizarrely the site with the dual definition was fine, it was the other sites that failed.
I ran into a similar issue when adding the .appcache. All .js and .css file requests responded with an error from IIS. I realized it was because I had not specified a NETWORK: section.
My working .appcache now forces all files to be refreshed and doesn't cause errors:
CACHE MANIFEST
# cache version 1.0.0.6
NETWORK:
*