Cookies not being sent via font-face request 不发送Cookie通过font-face请求

huangapple go评论74阅读模式
英文:

Cookies not being sent via font-face request

问题

这个cookie是在域名example.com上设置的。
当我在我的CSS中包含以下内容并访问Web服务器时,这个cookie会包含在字体请求中。

@font-face {
    font-family: Uniform;
    src: url("/font1.otf")
    format("opentype");
}

然而,如果我尝试从托管在子域上的不同服务器加载字体,那么cookie不会发送。

@font-face {
    font-family: Uniform;
    src: url("https://asset.example.com/font1.otf")
    format("opentype");
}

但是,如果我将图像加载为div的背景图像,那么cookie将正常发送。例如:

.bug {
  background-image: url("https://asset.example.com/my-img.png");
  position: absolute;
  top: 30px;
  right: 30px;
  filter: invert(100%);
  max-width: 150px;
}

我已经困扰了好几个小时了。任何帮助将不胜感激。

我尝试将cookie的samesite设置为三个选项,并且还尝试了cookie是否安全的设置。

英文:

I have a cookie set on the domain example.com.
This cookie is included in requests for fonts when I have this in my CSS and going to the web server

@font-face {
    font-family: Uniform;
    src: url("/font1.otf")
    format("opentype");
}

However if I try and load up a font from a different server hosted on a subdomain then the cookie does not get send though

@font-face {
    font-family: Uniform;
    src: url("https://asset.example.com/font1.otf")
    format("opentype");
}

However if I load up a image as a background image on a div the cookie is sent though absolutely fine. For example

.bug {
  background-image: url("https://asset.example.com/my-img.png");
  position: absolute;
  top: 30px;
  right: 30px;
  filter: invert(100%);
  max-width: 150px;
}

I have been going round in circles for hours on this. Any help would be much apricated

I have tried setting the samesite to all three options on the cookie and if the cookie is secure or not.

答案1

得分: 1

Web fonts are treated differently from other types of resources, when it comes to cross-origin requests.

A quick search lead me to https://stackoverflow.com/q/30248647/1427878, and a comment there is referring to https://bugs.chromium.org/p/chromium/issues/detail?id=411338 - and in there you find one comment saying,

> CSS Fonts Module Level 3 says that user agents must use "Anonymous" mode of CORS-enabled fetch [1], that means credentials are not sent regardless of server's Access-Control-Allow-Credentials header.
(XMLHttpRequest change of Chrome 37 is unrelated to font fetches.)
>
> [1] http://www.w3.org/TR/css3-fonts/#font-fetching-requirements

So what you want here simply must not work, due to the specification.

英文:

Web fonts are treated differently from other types of resources, when it comes to cross-origin requests.

A quick search lead me to https://stackoverflow.com/q/30248647/1427878, and a comment there is referring to https://bugs.chromium.org/p/chromium/issues/detail?id=411338 - and in there you find one comment saying,

> CSS Fonts Module Level 3 says that user agents must use "Anonymous" mode of CORS-enabled fetch [1], that means credentials are not sent regardless of server's Access-Control-Allow-Credentials header.
(XMLHttpRequest change of Chrome 37 is unrelated to font fetches.)
>
> [1] http://www.w3.org/TR/css3-fonts/#font-fetching-requirements

So what you want here simply must not work, due to the specification.

huangapple
  • 本文由 发表于 2023年6月15日 19:32:22
  • 转载请务必保留本文链接:https://go.coder-hub.com/76482033.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定