Extension resources blocked by cross origin policy

In progress Issue #8744785 • Assigned to Scott S.


Sep 2, 2016
This issue is public.
Found in
  • Microsoft Edge
Found in build #
Reported by 7 people

Sign in to watch or report this issue.

Steps to reproduce

New Repro:

  1. Sideload the attached Extension from: \iefs\users\sclow\extension_tests\CORSContentTest
  1. Navigate to purple.com
  1. Open browser console observe the CORS errors pertaining to fonts.

Old Repro:

In the process of modifying our Chrome extension to run within Edge as well.

Our extension contains some fonts and images that are used by content scripts and loaded into browsed webpages. Unfortunately, references to these resources at their extension URLs (ms-browser-extension://…) are blocked from being loaded by the cross origin policy.

Resources loaded from within an extension should be exempt from cross origin loading policies (this is the case with other web browsers).


Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Akshay P.”

    Changed Assigned To to “Sebastian P.”

    Changed Assigned To to “Sermet I.”

    Changed Assigned To from “Sermet I.” to “Scott L.”

    Changed Status to “Confirmed”

    Changed Status from “Confirmed” to “By design”

  • Changed Status from “By design”

  • If this is by design, what is the recommended way of accessing resources stored inside the browser extension?

  • Microsoft Edge Team

    Changed Status to “Confirmed”

    Changed Assigned To to “Scott L.”

  •  Sorry, I didn’t notice the .zip you attached here and thought that this was an issue with web_accessible_resources not being specified properly. My resolution comment didn’t seem to get posted as public though. I took another look at the attachments and have created a simple extension that reproduces the behavior you’re seeing (@font-face being blocked by CORS in content scripts regardless of WAR setting). I’ll continue to investigate.

  • I’ve assigned this over to our networking team so they can investigate a fix. Note that I only ran into issues when I tried to access fonts within the extension from pages/content scripts via @font-face. Images were accessible (via both relative and absolute paths) from the page as long as they were specified in web_accessible_resources. Fonts were also accessible from extension pages (such as popups) and iframes pointed to ms-browser-extension:// pages as long as they were specified in web_accessible_resources and as long as the full path to the font (i.e. ms-browser-extension://pathToFont/font.woff was specified in the @font-face url).

  • Microsoft Edge Team

    Changed Assigned To to “Venkat K.”

  • Thanks Scott! Appreciate you looking into this :)

  • Microsoft Edge Team

    Changed Assigned To from “Venkat K.” to “Rajat J.”

    Changed Assigned To from “Rajat J.” to “Nicolas A.”

  • Is this breaks already fix in insider build version?

    I am same problem.
    web fonts is not able to read via content-script yet.

  • Microsoft Edge Team

    Changed Status from “Confirmed” to “Fixed”

  • Thank you for filing this bug! We have fixed the issue and it will be available in an upcoming Windows Insider build.

  • I tested the newst MS Edge with attached extensions.

    MS Edge still has this problem.
    WebFont resources cannot be loaded from content script.

    error message printed to console log.

  • Microsoft Edge Team

    Changed Steps to Reproduce

    Changed Assigned To to “Mahesh J.”

    Changed Status from “Fixed”

    Changed Status to “Confirmed”

    Changed Status from “Confirmed”

    Changed Status to “Confirmed”

    Changed Assigned To from “Mahesh J.” to “Scott S.”

    Changed Status from “Confirmed” to “In progress”

  • I just started having this problem in Edge…one try at my page GET returned a 200 at Apr-1-2019 17:50, then next GET returned a 500 at Apr-1-2019 18:17. Edge’s console log showed a CORS failure SEC7120: [CORS] The origin ‘ms-appx-web://microsoft.microsoftedge’ failed to allow a cross-origin font resource at 'ms-appx-web:///assets/Fonts/BrowserMDL.ttf#Browser MDL2 Assets’. This was followed by CSS3119: No fonts available for @font-face rule. Pages were being served on my localhost.

    Also hoping to see this issue get fixed. Thanks!

You need to sign in to your Microsoft account to add a comment.

Sign in