Can anyone help with this error I've been getting since upgrading mathstodon.xyz to 4.2?
In Firefox, I get an error "downloadable font: rejected by sanitizer" when downloading https://mathstodon.xyz/packs/media/fonts/Sans/cmunss-0745961ddcecad8aa4fd00b9e39cce11.woff.
The Network tab says only 948B were transferred; the file is 77KB on disk. Because it's a font, Firefox won't show me the received raw data in the Response tab.
When I redo the request as a curl command, I get the whole file. I didn't change the nginx config when upgrading, and other woff fonts have loaded.
I'm at a loss!
This sounds like _when the thing is downloaded for use a font_ Firefox considers it invalid.
https://github.com/mozilla/gecko-dev/blob/57f94ca1d57ab745242daafc8926690377579b83/gfx/thebes/gfxUserFontSet.cpp#L692 is where the error is likely generated, and https://github.com/mozilla/gecko-dev/blob/57f94ca1d57ab745242daafc8926690377579b83/gfx/thebes/gfxUserFontSet.cpp#L193 is likely where it's caused.
That seems to refer to https://github.com/khaledhosny/ots, which seems to have a CLI tool to sanitize a font: https://github.com/khaledhosny/ots/blob/main/util/ots-sanitize.cc
If I have time in the evening I might try building it and running it against the font you have to see what the problem is.
@robryk I built OTS, and ran `ots-sanitize cmunss-0745961ddcecad8aa4fd00b9e39cce11.woff`. It gave some "glyph bbox incorrect" warnings, but finished by saying it'd sanitized the file successfully. There's definitely something just in Firefox that's making it not download the file correctly when used as a font.
Time to stare very hard at my CORS settings
@christianp maybe try replacing the font with its sanitized version?
@robryk I think it'd be a massive coincidence that this stopped working when I updated the mastodon code but didn't change the font file
@christianp do you know that this problem wasn't happening earlier? Might it have been masked by something, which then changed with the mastodon update and stopped masking it? (For example, maybe there is a fallback to a CDN, which is now made infeasible by a change in cors.)
@robryk as far as I know this font isn't served from a CDN
@christianp also, I strongly doubt it has anything to do with cors. Font sanitization is there to protect the computer from the websites.
@robryk ah great, thanks!