IBM Security Verify

 View Only
Expand all | Collapse all

ISAM WebSEAL: WOFF 2.0 Fonts Blocked

  • 1.  ISAM WebSEAL: WOFF 2.0 Fonts Blocked

    Posted Thu October 24, 2019 12:40 PM
    ​Hello all,

    We have an application which displays some icons on its web page. When the application is accessed directory without webseal, it loads all the icons properly.

    However, when the application is accessed through webseal, the icons do not display. Following errors are observed on the browser console:

    Failed to decode downloaded font: <URL>
    Failed to decode downloaded font: https://<webseal>/mga/sps/static/fonts/glyphicons-halflings-regular.woff2
    OTS parsing error: Failed to convert WOFF 2.0 font to SFNT
    OTS parsing error: incorrect file size in WOFF header
    OTS parsing error: incorrect entrySelector for table directory

    Any idea on how to allow these through webseal?

    Regards,

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------


  • 2.  RE: ISAM WebSEAL: WOFF 2.0 Fonts Blocked

    Posted Fri October 25, 2019 07:12 AM
    Usually issues with WOFF files are related to content-type.  What content-type is the backend server using when returning the WOFF files?
    It should be something appropriate.  If it is sending back  as text/html, this could cause WebSEAL to try and process them as HTML files are break them.

    You should be able to see the response type in a debug or snoop trace.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: ISAM WebSEAL: WOFF 2.0 Fonts Blocked

    Posted Fri October 25, 2019 07:26 AM
    Edited by Jon Harry Fri October 25, 2019 07:27 AM
    Ah, hang on.  Looks like the backend server is the ISAM AAC/Fed Runtime.

    In that case, you should check the metadata.xml file under Template Files. (in C directory).
    In 9.0.7.0 this includes the following:

    <!-- make sure all woff2 get sent back as text/plain -->
    <meta:Metadata>
    <meta:Identifiers>
    <meta:IdentifierPattern>
    <meta:Include>.*\.woff2</meta:Include>
    </meta:IdentifierPattern>
    </meta:Identifiers>
    <meta:Parameters>
    <meta:Parameter name="setHeader.Content-Type">application/font-woff</meta:Parameter>
    </meta:Parameters>
    </meta:Metadata>


    <!-- make sure all woff get sent back as font/woff -->
    <meta:Metadata>
    <meta:Identifiers>
    <meta:IdentifierPattern>
    <meta:Include>.*\.woff</meta:Include>
    </meta:IdentifierPattern>
    </meta:Identifiers>
    <meta:Parameters>
    <meta:Parameter name="setHeader.Content-Type">application/font-woff</meta:Parameter>
    </meta:Parameters>
    </meta:Metadata>

    I think maybe this is missing in earlier versions but you could add it.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 4.  RE: ISAM WebSEAL: WOFF 2.0 Fonts Blocked

    Posted Fri October 25, 2019 08:03 AM
    Hi Jon,

    Yes you are right, the backend server is ISAM AAC. The appliance version which we are working with is 9.0.7 and as you said, these entries are already there in the metadata.xml file.

    Do we have to add anything to the [content-mime-types] stanza?

    Best regards,​

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------



  • 5.  RE: ISAM WebSEAL: WOFF 2.0 Fonts Blocked

    Posted Fri October 25, 2019 08:15 AM
    Hi Jahanzaib,

    I don't think adding to [content-mime-types] helps unless it is WebSEAL itself that is serving the file (for you it is AAC).

    A quick search seems to indicate that maybe the MIME type for a WOFF2 should be application/font-woff2.
    Does changing that in the metadata help?

    What do you see coming back in the browser (using browser dev tools)?  Is MIME type being set correctly?

    When you say it works when getting direct from backend server, what do you mean?  You mean getting direct from AAC or from some other web server?  What MIME type do you see when getting it directly in the case that it works?

    Jon.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 6.  RE: ISAM WebSEAL: WOFF 2.0 Fonts Blocked

    Posted Fri October 25, 2019 09:06 AM
    Edited by Jahanzaib Sarwar Fri October 25, 2019 09:07 AM
    Hi Jon,
    I have updated the MIME type for a WOFF2 to be application/font-woff2 in metadata.xml file but this does not help either.

    Below is the output from the browser dev tools for the three files being returned and their respective MIME types:

    glyphicons-halflings-regular.woff2    application/font-woff2
    glyphicons-halflings-regular.woff    application/font-woff
    glyphicons-halflings-regular.ttf     application/octet-stream

    When I say it works when getting direct from backend server, I mean getting direct from a web server /application server (Tomcat in this case). When getting directly, it works and the MIME types are:

    glyphicons-halflings-regular.woff2    font/woff2

    For the other two files, I am not able to verify the type because it is not shown in the browser trace and following warning is there at the place where response details are shown: Provisional headers are shown

    Best regards,


    ------------------------------
    Jahanzaib Sarwar
    ------------------------------



  • 7.  RE: ISAM WebSEAL: WOFF 2.0 Fonts Blocked

    Posted Fri October 25, 2019 09:10 AM
    Maybe try changing the metadata file to set MIME type for .woff2 files to be font/woff2

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 8.  RE: ISAM WebSEAL: WOFF 2.0 Fonts Blocked

    Posted Fri October 25, 2019 09:47 AM
    ​Tried but not luck...

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------



  • 9.  RE: ISAM WebSEAL: WOFF 2.0 Fonts Blocked

    Posted Wed April 01, 2020 09:44 AM
    Any luck with this? I'm experiencing the same issue and I've tried out all of the approaches mentioned above.

    ------------------------------
    Dino Blazeka
    ------------------------------



  • 10.  RE: ISAM WebSEAL: WOFF 2.0 Fonts Blocked

    Posted Wed April 01, 2020 06:19 PM
    No.. We had time constraints at that moment so we went for a workaround and excluded the woff files from the backend app.

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------