Blocking query strings (@fontface and IE8 problem)

I recently found that Internet Explorer 8 was not downloading the fonts for @fontface and, with trial and error, I managed to trace it to an .htaccess function that blocks malicious query strings. It came from this article and runs thus:

RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\\.0\\.0\\.1).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\\.|\\*|;|<|>|'|"|\\)|%0A|%0D|%22|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(md5|benchmark|union|select|insert|cast|set|declare|drop|update).* [NC]
RewriteRule ^(.*)$ - [F,L]

Can anyone tell me which particular part of this code is responsible for blocking IE8 and whether it can safely be edited to fix it?

What is the URL IE8 is requesting? Do you know that?

Do you mean the location of the fonts?

That’s http://mydomain.com/gallery/Note_this-webfont.eot (or whichever file type IE uses). I used to use a different font, whose files were called journal-webfont.eot: that had the same problem.

Am I correct in assuming you’re using the question mark in the src for IE<9 technique? i.e. src: 'blablabla.eot?' ?

If so, the problem is either the %22 if you’re using double quotes in the other src declarations in the CSS rule or %27 if you’re using single quotes in the other src declarations in the CSS rule.

So either remove that from the (second) RewriteCond, or remove the quotes from the CSS altogether.

Um, yes, it has a question mark followed by iefix. I just copied and pasted whatever Fontsquirrel generates. Could you clarify your second comment about the percent figures? I don’t quite understand that.

Okay, let me explain how that works.

Here’s a simple example of an @font-face declaration with that IE fix


@font-face {
  font-family: 'MyFont';
  src: url('MyFont.eot?iefix');
       url('MyFont.woff') format('woff'),
       url('MyFont.ttf') format('truetype');
}

(Note: this is not the best @font-face syntax AFAIK, but will suffice for this example. See http://www.fontspring.com/blog/further-hardening-of-the-bulletproof-syntax)

The bug in IE < 9 is that instead of just seeing ‘MyFont.eot?iefix’ as the src, it sees everything up until the end of the line as the src.
So, for my example, the URL IE will request will be something like

MyFont.eot?iefix%27%29%3Burl%28%27MyFont.woff%27%29+format%28%27woff%27%29%2Curl%28%27MyFont.ttf%27%29+format%28%27truetype%27%29%3B

As you can see, the single quotes are converted to %27, since single quotes are in the ascii table on position hex 27 (see here).

So, if you use single quotes, you need to remove %27 from the RewriteCond (indicated in red below). If you use double quotes, remove the %22 from the RewriteCond (indicated in blue below).


RewriteCond %{QUERY_STRING} ^.*(\\.|\\*|;|<|>|'|"|\\)|%0A|%0D|[COLOR="DeepSkyBlue"]%22|[/COLOR][COLOR="Red"]%27|[/COLOR]%3C|%3E|%00).* [NC,OR]

Or, don’t use any quotes in your CSS at all :slight_smile:

Okay. That makes sense now. Thanks for helping out.