I am designing a website (e.g. mywebsite.example) and this site loads font-face fonts from another site (say anothersite.example). I was having problems with the font face font loading in Firefox and I read on this blog:
Firefox (which supports #font-face
from v3.5) does not allow cross-domain
fonts by default. This means the font
must be served up from the same domain
(and sub-domain) unless you can add an
“Access-Control-Allow-Origin” header
to the font.
How can I set the Access-Control-Allow-Origin header to the font?
So what you do is... In the font files folder put an htaccess file with the following in it.
<FilesMatch "\.(ttf|otf|eot|woff|woff2)$">
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
</FilesMatch>
also in your remote CSS file, the font-face declaration needs the full absolute URL of the font-file (not needed in local CSS files):
e.g.
#font-face {
font-family: 'LeagueGothicRegular';
src: url('http://www.example.com/css/fonts/League_Gothic.eot?') format('eot'),
url('http://www.example.com/css/fonts/League_Gothic.woff') format('woff'),
url('http://www.example.com/css/fonts/League_Gothic.ttf') format('truetype'),
url('http://www.example.com/css/fonts/League_Gothic.svg')
}
That will fix the issue. One thing to note is that you can specify exactly which domains should be allowed to access your font. In the above htaccess I have specified that everyone can access my font with "*" however you can limit it to:
A single URL:
Header set Access-Control-Allow-Origin http://example.com
Or a comma-delimited list of URLs
Access-Control-Allow-Origin: http://site1.com,http://site2.com
(Multiple values are not supported in current implementations)
According to the official docs, browsers do not like it when you use the
Access-Control-Allow-Origin: "*"
header if you're also using the
Access-Control-Allow-Credentials: "true"
header. Instead, they want you to allow their origin specifically. If you still want to allow all origins, you can do some simple Apache magic to get it to work (make sure you have mod_headers enabled):
Header set Access-Control-Allow-Origin "%{HTTP_ORIGIN}e" env=HTTP_ORIGIN
Browsers are required to send the Origin header on all cross-domain requests. The docs specifically state that you need to echo this header back in the Access-Control-Allow-Origin header if you are accepting/planning on accepting the request. That's what this Header directive is doing.
The accepted answer doesn't work for me unfortunately, since my site CSS files #import the font CSS files, and these are all stored on a Rackspace Cloud Files CDN.
Since the Apache headers are never generated (since my CSS is not on Apache), I had to do several things:
Go to the Cloud Files UI and add a custom header (Access-Control-Allow-Origin with value *) for each font-awesome file
Change the Content-Type of the woff and ttf files to font/woff and font/ttf respectively
See if you can get away with just #1, since the second requires a bit of command line work.
To add the custom header in #1:
view the cloud files container for the file
scroll down to the file
click the cog icon
click Edit Headers
select Access-Control-Allow-Origin
add the single character '*' (without the quotes)
hit enter
repeat for the other files
If you need to continue and do #2, then you'll need a command line with CURL
curl -D - --header "X-Auth-Key: your-auth-key-from-rackspace-cloud-control-panel" --header "X-Auth-User: your-cloud-username" https://auth.api.rackspacecloud.com/v1.0
From the results returned, extract the values for X-Auth-Token and X-Storage-Url
curl -X POST \
-H "Content-Type: font/woff" \
--header "X-Auth-Token: returned-x-auth-token" returned-x-storage-url/name-of-your-container/fonts/fontawesome-webfont.woff
curl -X POST \
-H "Content-Type: font/ttf" \
--header "X-Auth-Token: returned-x-auth-token" returned-x-storage-url/name-of-your-container/fonts/fontawesome-webfont.ttf
Of course, this process only works if you're using the Rackspace CDN. Other CDNs may offer similar facilities to edit object headers and change content types, so maybe you'll get lucky (and post some extra info here).
For Java based Application add this to your web.xml file:
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.ttf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.otf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.eot</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.woff</url-pattern>
</servlet-mapping>
In your file.php of request ajax, can set value header.
<?php header('Access-Control-Allow-Origin: *'); //for all ?>
Related
We have set request header X-Content-Type-Options:nosniff in a sample application.
To test it, I set a rule to change the content type of a js url from application/javascript to text/css through chrome app Requestly.
I was expecting that since the X-Content-Type-Options:nosniff is set, it should not allow the content type to change.
But when I run the application and check in Chrome developer tools for the js file url headers, I can see the new content type text/css and also error for executing the js file.
So I am wondering why it allowed the content type to change and if I am testing it the proper way ?
You can check whether the response headers include "x-content-type-options: nosniff" by running:
curl -I <URL_TO_VERIFY>
X-Content-Type-Options:nosniff will prevent the browser from performing MIME sniffing, it can not prevent any other entities, like a browser extension or proxies, from altering content-type.
MIME sniffing definition from MDN.
In the absence of a MIME type, or in some other cases where a client
believes they are incorrectly set, browsers may conduct MIME sniffing,
which is guessing the correct MIME type by looking at the resource.
Each browser performs this differently and under different
circumstances.
I tried the command below, but it doesn't work for me.
curl -I <URL_TO_VERIFY>
But this syntax works for me:
curl '*' -I <URL_TO_VERIFY>
If you run behind your company proxy:
curl --noproxy '*' -I <URL_TO_VERIFY>
I am developing a HTML5 Javascript app to get an image from my local server which runs on the same machine as the app. When I run the app on my Chrome, I got:
Access to Image at 'http://localhost/someDIrectory/1.jpg' from origin
'http://localhost:50000' has been blocked by CORS policy: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:50000' is therefore not allowed
access.
From many questions here, the answers point out that I need to set
header("Access-Control-Allow-Origin: *");
in php file and it should work, but that is for php files... What about an image or a directory with images?
I have also came across How do I enable cross-origin resource sharing on XAMPP? and tried to add
<IfModule C:\xampp\htdocs\someDIrectory\1.jpg>
Header set Access-Control-Allow-Origin: *
</IfModule>
into httpd.conf. I tried restart XAMPP and retried the above. But the result I got is still the same.
How to correctly set up such setting for XAMPP?
Note: I am using Construct 2 which is basically exported out as an HTML5/Javascript. I am simply using Sprite Load From URL action.
Create a file called ".htaccess" in the directory of your files and add the following to the file.
Header set Access-Control-Allow-Origin "http://localhost:50000/"
You need to create the .htaccess file first and put it on your root document of application and then set it at the beginning of the file
Header set Access-Control-Allow-Origin *
Cheers,
I am trying to load web fonts from a CDN, but am getting a Cross Origin Request error. I have set the following headers in my httpd conf file:
Header Add Access-Control-Allow-Origin: my-cdn-domain
and
<FilesMatch "\.(ttf|otf|eot|woff|woff2)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
and I see the Access-Control header in the console, but the fonts still do not load.
Does anyone have any ideas?
It turns out that this had to do with us moving the site over to https. When we moved the site, we didn't update the origins in the cdn to be https also and that was causing the source to actually be our non-https server!
Header Add Access-Control-Allow-Origin: my-cdn-domain
Your CDN domain has to give permission to your HTML domain, not the other way around.
I am trying to exclude all my liferay testing environment from search engines.
The new line is disappearing and \r\n or \n as separators are not working either.
This is my robots file:
User-agent: *
Disallow: /
This is my web.xml snippet:
<filter>
<filter-name>RobotKiller</filter-name>
<filter-class>com.robot.kill.KillARobot</filter-class>
</filter>
<filter-mapping>
<filter-name>RobotKiller</filter-name>
<url-pattern>/robots.txt</url-pattern>
</filter-mapping>
domain/robots.txt:
User-agent: *Disallow: /
I think I know what the problem is. The Content-Type HTTP header is set incorrectly on this file. You have the content type set to text/html when it should be set to text/plain.
When you view the file in your browser, it interprets it is HTML which treats new lines as spaces. You should be able to use your browser's view source feature to see it formatted correctly.
The robots.txt file may work for the search bots, even with an incorrect Content-Type header, but it would be better not to take any chances.
We have an application that allows users to add/edit/replace/delete content (text, images, swfs, mp3s, etc). We want the admins to always have the latest updated files by using a no-cache header and when a user runs the application, everything gets/uses the cache.
I have looked into solutions and have tried using html meta tags like:
<meta http-equiv="expires" content="0" />
<meta http-equiv="cache-control" content="no-cache, no-store" />
<meta http-equiv="pragma" content="no-cache" />
But that doesn't seem to be a good solution as this happens after the headers are created and doesn't change the media (images, swfs, mp3s, etc) headers.
I wanted to use apache to set the headers and came across this code for this site:
<filesMatch "\.(html|htm|js|css)$">
FileETag None
<ifModule mod_headers.c>
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
</ifModule>
</filesMatch>
This seems to be a great solution, however the only real difference between when we need it cached and when it shouldn't be cached is the URL (preview.jsp vs run.jsp), so we can't match it by file type as most files are the same.
Does anyone have a good solution for this type of scenario?
Thanks.
EDIT:
Preview.jsp and run.jsp basically are the same only with different jsp and js processing. They read in the same content and media through an iframe. For example, they each look like:
<%
//Some JSP
%>
/* HTML Headers, JS, ETC */
<iframe id="contentFrame" seamless="1" src="http://somedomain.com/template.html"></iframe>
/* End HTML */
preview.jsp and run.jsp appear in the same directory and use all the same resources. I am looking for a solution to have preview.jsp not to cache anything and run.jsp to cache things.
Server is setup with Apache Tomcat.
A combination of SetEnvIf and Header might do the trick:
# Image, CSS and JavaScript requests normally contain the Referer header
# which tells apache which page is requesting the resource
# Use SetEnvIf directive to set a flag for internal uses
SetEnvIf Referer preview\.jsp force_no_cache
# Header directive optionally accepts env= argument
# If present, the directive is fired if the flag is set
Header unset ETag env=force_no_cache
# repeat for other headers
You can set up corresponding headers in your Java servlet. Apache mod_headers is mostly supposed to work for static resources, managed by Apache. While everything that is provided by application servers is managed on the AS side.
Usually, you can use Filters for this purpose. Here is an example: http://www.tidytutorials.com/2009/11/adding-headers-to-requests-in-filters.html