X
Tap here to go to the mobile version of the site.

Support Forum

Firefox local development "CORS request not http"

Posted

As of update to v68 I get errors like these: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at file:///D:/website/fonts/fontawesome-webfont.woff?v=4.2.0. (Reason: CORS request not http).

What the heck is this? Why did silly mozila messed up the development of local files? How can I bypass that WITHOUT ALTERING my code? It broke fontawesome functionality! Very stupid!

As of update to v68 I get errors like these: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at file:///D:/website/fonts/fontawesome-webfont.woff?v=4.2.0. (Reason: CORS request not http). What the heck is this? Why did silly mozila messed up the development of local files? How can I bypass that WITHOUT ALTERING my code? It broke fontawesome functionality! Very stupid!

Chosen solution

hi, perhaps due to this security fix: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11730

try to change privacy_file_unique_origin to false in about:config, restart firefox and see if this can make a difference (please note that this makes you vulnerable to the described security problem though).

Read this answer in context 1
Quote

Additional System Details

Installed Plug-ins

  • Shockwave Flash 28.0 r0

Application

  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

More Information

philipp
  • Top 25 Contributor
  • Moderator
5282 solutions 23334 answers

Chosen Solution

hi, perhaps due to this security fix: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11730

try to change privacy_file_unique_origin to false in about:config, restart firefox and see if this can make a difference (please note that this makes you vulnerable to the described security problem though).

hi, perhaps due to this security fix: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11730 try to change ''privacy_file_unique_origin'' to false in about:config, restart firefox and see if this can make a difference (please note that this makes you vulnerable to the described security problem though).
Was this helpful to you? 1
Quote

Question owner

philipp said

hi, perhaps due to this security fix: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11730 try to change privacy_file_unique_origin to false in about:config, restart firefox and see if this can make a difference (please note that this makes you vulnerable to the described security problem though).

You are a star! Everything now is back to normal. This is pretty stupid on mozilla's part!

''philipp [[#answer-1236131|said]]'' <blockquote> hi, perhaps due to this security fix: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11730 try to change ''privacy_file_unique_origin'' to false in about:config, restart firefox and see if this can make a difference (please note that this makes you vulnerable to the described security problem though). </blockquote> You are a star! Everything now is back to normal. This is pretty stupid on mozilla's part!
Was this helpful to you? 0
Quote
mcdow 0 solutions 4 answers

The proposed solution is not ideal in that it requires local HTML files that use local fonts to change their default about:config settings. It would be better if FireFox allowed fonts such as: font-awesome to load without going through CORS. Here is the warning: The Same Origin Policy disallows reading the remote resource at file:///.../font-awesome/fonts/fontawesome-webfont.woff2?v=4.7.0. (Reason: CORS request not http).

The proposed solution is not ideal in that it requires local HTML files that use local fonts to change their default about:config settings. It would be better if FireFox allowed fonts such as: font-awesome to load without going through CORS. Here is the warning: The Same Origin Policy disallows reading the remote resource at file:///.../font-awesome/fonts/fontawesome-webfont.woff2?v=4.7.0. (Reason: CORS request not http).
Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
8580 solutions 70167 answers

Hi mcdow, the security patch redefined the "origin" of a document with a file:// URL, which is why the console now reports cross-origin blocks on some retrievals. If you decide to reverse that, please make sure to open untrusted pages from their own folders (for example, create Download\untrusted) to limit access to potentially valuable files.

Hi mcdow, the security patch redefined the "origin" of a document with a file:// URL, which is why the console now reports cross-origin blocks on some retrievals. If you decide to reverse that, please make sure to open untrusted pages from their own folders (for example, create Download\untrusted) to limit access to potentially valuable files.
Was this helpful to you?
Quote
mcdow 0 solutions 4 answers

Hi jscher,

Understood, but redefining all local file resources to have a unique origin breaks Mozilla's previous standard:

https://developer.mozilla.org/en-US/docs/Archive/Misc_top_level/Same-origin_policy_for_file:_URIs

This seems severe as the other browser vendors are NOT doing that with their origin definitions. This also makes using browsers for local help very limited. I hope Mozilla will reconsider.

Hi jscher, Understood, but redefining all local file resources to have a unique origin breaks Mozilla's previous standard: https://developer.mozilla.org/en-US/docs/Archive/Misc_top_level/Same-origin_policy_for_file:_URIs This seems severe as the other browser vendors are NOT doing that with their origin definitions. This also makes using browsers for local help very limited. I hope Mozilla will reconsider.
Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
8580 solutions 70167 answers

Hi mcdow, is there a page documenting how it works in other browsers?

Help systems that were taking advantage of the broader functionality in Firefox will need to change. For example, treating Firefox as having the more limited capabilities that have been available in Chrome: https://discourse.mozilla.org/t/firefox-68-local-files-now-treated-as-cross-origin-1558299/42493

Hi mcdow, is there a page documenting how it works in other browsers? Help systems that were taking advantage of the broader functionality in Firefox will need to change. For example, treating Firefox as having the more limited capabilities that have been available in Chrome: https://discourse.mozilla.org/t/firefox-68-local-files-now-treated-as-cross-origin-1558299/42493
Was this helpful to you?
Quote
mcdow 0 solutions 4 answers

Hi jscher2000,

The link I posted describes how it works on other browsers. For 'file:' resources, origin should be the same for files in the same or child directories as defined in the statement here.

https://developer.mozilla.org/en-US/docs/Archive/Misc_top_level/Same-origin_policy_for_file:_URIs

Currently, in v68 this breaks many (1000s if not more) users accessing local help content using FireFox. User's can switch to another browser and the local resources will work. Is there a place where I can upload an example? Thank you.

Hi jscher2000, The link I posted describes how it works on other browsers. For 'file:' resources, origin should be the same for files in the same or child directories as defined in the statement here. https://developer.mozilla.org/en-US/docs/Archive/Misc_top_level/Same-origin_policy_for_file:_URIs Currently, in v68 this breaks many (1000s if not more) users accessing local help content using FireFox. User's can switch to another browser and the local resources will work. Is there a place where I can upload an example? Thank you.
Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
8580 solutions 70167 answers

mcdow said

Currently, in v68 this breaks many (1000s if not more) users accessing local help content using FireFox. User's can switch to another browser and the local resources will work. Is there a place where I can upload an example?

If copyright permits, sure, or perhaps there is a sample online that could be downloaded for testing.

By the way, I did file a bug yesterday proposing an exception for .woff and .woff2 font files. Waiting to see whether that is considered feasible.

''mcdow [[#answer-1237587|said]]'' <blockquote>Currently, in v68 this breaks many (1000s if not more) users accessing local help content using FireFox. User's can switch to another browser and the local resources will work. Is there a place where I can upload an example?</blockquote> If copyright permits, sure, or perhaps there is a sample online that could be downloaded for testing. By the way, I did file a bug yesterday proposing an exception for .woff and .woff2 font files. Waiting to see whether that is considered feasible.
Was this helpful to you?
Quote
mcdow 0 solutions 4 answers

Hi jscher2000,

>By the way, I did file a bug yesterday proposing an exception for .woff and .woff2 font files.

Thank you, this would help. I would add .ttf font files as well.

Hi jscher2000, >By the way, I did file a bug yesterday proposing an exception for .woff and .woff2 font files. Thank you, this would help. I would add .ttf font files as well.
Was this helpful to you?
Quote
Arne 0 solutions 1 answers

I have this problem too. It wouldn't be so bad if FF would let me keep using v. 67.x until the problem was fixed, but the new (broken) version 68.0 is automatically installed, even though my settings says to ask me for confirmation first :(

I have this problem too. It wouldn't be so bad if FF would let me keep using v. 67.x until the problem was fixed, but the new (broken) version 68.0 is automatically installed, even though my settings says to ask me for confirmation first :(
Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
8580 solutions 70167 answers

Helpful Reply

Hi Arne, Firefox 68 contains a security patch which restricts the kinds of files that pages can load (and methods of loading) when you open them from a file:// URL. This change was made to prevent exfiltration of valuable data within reach of a local page, as demonstrated in an available exploit. More info:

There is a bug on file proposing that fonts be an exception, but it will take time to implement. For now, you can roll back the patch as follows:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste uniq and pause while the list is filtered

(3) Double-click the privacy.file_unique_origin preference to switch the value from true to false

To mitigate the vulnerability: If you save pages from untrusted sites in a separate folder, e.g., Downloads\Untrusted, then it would be difficult for an attacker to find any valuable content using local file links.

Hi Arne, Firefox 68 contains a security patch which restricts the kinds of files that pages can load (and methods of loading) when you open them '''from a file:// URL'''. This change was made to prevent exfiltration of valuable data within reach of a local page, as demonstrated in an available exploit. More info: * https://developer.mozilla.org/docs/Web/HTTP/CORS/Errors/CORSRequestNotHttp * https://www.mozilla.org/security/advisories/mfsa2019-21/#CVE-2019-11730 There is a bug on file proposing that fonts be an exception, but it will take time to implement. For now, you can roll back the patch as follows: (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk. (2) In the search box above the list, type or paste '''uniq''' and pause while the list is filtered (3) Double-click the '''privacy.file_unique_origin''' preference to switch the value from true to false To mitigate the vulnerability: If you save pages from untrusted sites in a separate folder, e.g., Downloads\Untrusted, then it would be difficult for an attacker to find any valuable content using local file links.
Was this helpful to you? 1
Quote
Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.