When trying to use a font file from another domain on a web page, I ran into the restrictions of the Cross Origin Resource Policy in all its glory.
So, instead of referencing the external font URL directly from CSS with @font-face, I referenced a local URL path which redirects to the external font resource. I thought the browser might treat the font as a same-domain resource. And indeed, the redirect seemed to fool Chrome into using the external font, but this was not the case with Firefox, which did not allow it.
My question is, which of the two behaviors, demonstrated by Chrome and Firefox respectively, is the standards-compliant one?
From: http://www.w3.org/TR/cors/#cors-api-specification-redirect
Since browsers are based on a same origin security model and the policy outlined in this specification is intended for APIs used in browsers, it is expected that APIs that will utilize this policy will have to handle a same origin request that results in a redirect that is cross-origin in a special way.
For APIs that transparently handle redirects CORS API specifications are encouraged to handle this scenario transparently as well by "catching" the redirect and invoking the cross-origin request algorithm on the (cross-origin) redirect URL.
From what I can understand, it seems that Firefox handles it 'the right way'.