Latest Chrome (46.0.2490.7) fails to load fonts over https CORS from S3 bucket

Question

UPDATE: looks like a bug in chrome: https://code.google.com/p/chromium/issues/detail?id=544879

We have had a site up an running for a few years now with fonts hosted on S3. It is NOT a S3 website, its a private CDN, and we load the font with an S3 authenticated URL.

With the latest update from Chrome, this has stopped working due to CORS issues.

S3 is configured for CORS like this..

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <AllowedHeader>Authorization</AllowedHeader>
</CORSRule>
</CORSConfiguration>

This has worked until chrome 46.0.2490.7 (released 2 days ago). It now errors with this:

Font from origin 'https://domain.s3-eu-west-1.amazonaws.com' has been blocked from loading by Cross-Origin Resource Sharing policy: A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'https://domain.co.uk' is therefore not allowed access.

It sounds like Chrome itself is adding the Credentials Flag? I found this ticket https://code.google.com/p/chromium/issues/detail?id=516192 from August that sounds like they enforced the Credentials flag on https same domain requests, but this is a CORS https request, so it shouldn't be adding it?

Also, even if I remove the * and add the domain to see if that fixes it, it then says there is NO Access-Control-Allow-Origin value set, which is not the case.

Anyone know whats going on with this, am I missing something?

m

Answer 1

Only work around Ive found so far is to proxy the fonts via the same domain server. Not ideal.

I opened a ticket: https://code.google.com/p/chromium/issues/detail?id=544879