Extension resources blocked by cross origin policy

Confirmed Issue #8744785 • Assigned to Venkat K.

Details

Author
Spencer
Created
Sep 2, 2016
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
17.17134
Reports
Reported by 7 people

Sign in to watch or report this issue.

Steps to reproduce

New Repro:

  1. Sideload the attached Extension from: \iefs\users\sclow\extension_tests\CORSContentTest
  1. Navigate to purple.com
  1. Open browser console observe the CORS errors pertaining to fonts.

Old Repro:

In the process of modifying our Chrome extension to run within Edge as well.

Our extension contains some fonts and images that are used by content scripts and loaded into browsed webpages. Unfortunately, references to these resources at their extension URLs (ms-browser-extension://…) are blocked from being loaded by the cross origin policy.

Resources loaded from within an extension should be exempt from cross origin loading policies (this is the case with other web browsers).

Attachments

Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Akshay P.”

    Changed Assigned To to “Sebastian P.”

    Changed Assigned To to “Sermet I.”

    Changed Assigned To from “Sermet I.” to “Scott L.”

    Changed Status to “Confirmed”

    Changed Status from “Confirmed” to “By design”

  • Changed Status from “By design”

  • If this is by design, what is the recommended way of accessing resources stored inside the browser extension?

  • Microsoft Edge Team

    Changed Status to “Confirmed”

    Changed Assigned To to “Scott L.”

  •  Sorry, I didn’t notice the .zip you attached here and thought that this was an issue with web_accessible_resources not being specified properly. My resolution comment didn’t seem to get posted as public though. I took another look at the attachments and have created a simple extension that reproduces the behavior you’re seeing (@font-face being blocked by CORS in content scripts regardless of WAR setting). I’ll continue to investigate.

  • I’ve assigned this over to our networking team so they can investigate a fix. Note that I only ran into issues when I tried to access fonts within the extension from pages/content scripts via @font-face. Images were accessible (via both relative and absolute paths) from the page as long as they were specified in web_accessible_resources. Fonts were also accessible from extension pages (such as popups) and iframes pointed to ms-browser-extension:// pages as long as they were specified in web_accessible_resources and as long as the full path to the font (i.e. ms-browser-extension://pathToFont/font.woff was specified in the @font-face url).

  • Microsoft Edge Team

    Changed Assigned To to “Venkat K.”

  • Thanks Scott! Appreciate you looking into this :)

  • Microsoft Edge Team

    Changed Assigned To from “Venkat K.” to “Rajat J.”

    Changed Assigned To from “Rajat J.” to “Nicolas A.”

  • Is this breaks already fix in insider build version?

    I am same problem.
    web fonts is not able to read via content-script yet.

  • Microsoft Edge Team

    Changed Status from “Confirmed” to “Fixed”

  • Thank you for filing this bug! We have fixed the issue and it will be available in an upcoming Windows Insider build.

  • I tested the newst MS Edge with attached extensions.

    MS Edge still has this problem.
    WebFont resources cannot be loaded from content script.

    error message printed to console log.

  • Microsoft Edge Team

    Changed Steps to Reproduce

    Changed Assigned To to “Mahesh J.”

    Changed Status from “Fixed”

    Changed Status to “Confirmed”

    Changed Status from “Confirmed”

    Changed Status to “Confirmed”

    Changed Assigned To from “Mahesh J.” to “Scott S.”

    Changed Status from “Confirmed” to “In progress”

  • I just started having this problem in Edge…one try at my page GET returned a 200 at Apr-1-2019 17:50, then next GET returned a 500 at Apr-1-2019 18:17. Edge’s console log showed a CORS failure SEC7120: [CORS] The origin ‘ms-appx-web://microsoft.microsoftedge’ failed to allow a cross-origin font resource at 'ms-appx-web:///assets/Fonts/BrowserMDL.ttf#Browser MDL2 Assets’. This was followed by CSS3119: No fonts available for @font-face rule. Pages were being served on my localhost.

    Also hoping to see this issue get fixed. Thanks!

  • Keep getting this page message in Edge: (this issue is getting REALLY OLD!)

    Can’t connect securely to this page
    This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.

    Console:
    HTML1300: Navigation occurred.
    tlserror.htm (1,1)

    CSS3121: The media query -ms-viewport has been deprecated.

    CONSOLE21301: serviceWorker.getRegistrations is rejected due to unsecure context or host restriction in ms-appx-web://microsoft.microsoftedge/assets/errorpages/tlserror.htm?SecureProtocol=2688.

    SEC7120: [CORS] The origin ‘ms-appx-web://microsoft.microsoftedge’ failed to allow a cross-origin font resource at 'ms-appx-web:///assets/Fonts/BrowserMDL.ttf#Browser MDL2 Assets’.

    CSS3119: No fonts available for @font-face rule
    ErrorPageStyles.css (11,7)

    No Results

    Elements:

    Can’t connect securely to this page
    
    
    
    
    
    
    
    
    
        
            
                
                    
                        
    
                    
    
                    
                        Can’t connect securely to this page
    
                        This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.
    
                        Try this:
    
                        
                            [Go back to the last page](#)
    

    Network:

    Request URL: https://webmail.spectrum.net/mail/auth

    Request Method: GET

    Status Code: 200 / OK

  • This issue is 3+ years old and A LOT of folks are still angered by the lack of a working fix.
    It was said best at the top of this page when it was first posted:

    *Resources loaded from within an extension should be exempt from cross origin loading policies (this is the case with other web browsers). NOTE: The only browser having this issue is the Edge since 2016. Devs lets fix this already !!!

  • Microsoft Edge Team

    Changed Status from “In progress” to “Confirmed”

    Changed Assigned To to “Venkat K.”

You need to sign in to your Microsoft account to add a comment.

Sign in