This sounds like _when the thing is downloaded for use a font_ Firefox considers it invalid.
https://github.com/mozilla/gecko-dev/blob/57f94ca1d57ab745242daafc8926690377579b83/gfx/thebes/gfxUserFontSet.cpp#L692 is where the error is likely generated, and https://github.com/mozilla/gecko-dev/blob/57f94ca1d57ab745242daafc8926690377579b83/gfx/thebes/gfxUserFontSet.cpp#L193 is likely where it's caused.
That seems to refer to https://github.com/khaledhosny/ots, which seems to have a CLI tool to sanitize a font: https://github.com/khaledhosny/ots/blob/main/util/ots-sanitize.cc
If I have time in the evening I might try building it and running it against the font you have to see what the problem is.
@robryk I built OTS, and ran `ots-sanitize cmunss-0745961ddcecad8aa4fd00b9e39cce11.woff`. It gave some "glyph bbox incorrect" warnings, but finished by saying it'd sanitized the file successfully. There's definitely something just in Firefox that's making it not download the file correctly when used as a font.
Time to stare very hard at my CORS settings
@christianp maybe try replacing the font with its sanitized version?
@robryk I think it'd be a massive coincidence that this stopped working when I updated the mastodon code but didn't change the font file
@christianp do you know that this problem wasn't happening earlier? Might it have been masked by something, which then changed with the mastodon update and stopped masking it? (For example, maybe there is a fallback to a CDN, which is now made infeasible by a change in cors.)
@robryk as far as I know this font isn't served from a CDN
@christianp also, I strongly doubt it has anything to do with cors. Font sanitization is there to protect the computer from the websites.
@robryk ah great, thanks!