What is the expected behavior?
The domain venom-assets.edmunds-media.com is part of the TLS certificate for www.edmunds.com and any calls to it should be trusted after the initial handshake. i.e should happen only once at the beginning.
Welcome to “credentialed connection” hell. Fonts are considered non-credentialed and are requested on an “anonymous” connection. From Chrome and Firefox’s perspective that means using a completely separate connection where cookies are never sent.
There is active discussion around getting rid of the second-connection requirement but it’s still the case right now.
I THINK (needs verifying) that if the fonts are from the same origin as the page then it may re-use the same connection but once it crosses origins it bumps into the CORS anonymous requirement.
The OCSP requests are cert revocation checks because of EV certificates. The only way to eliminate both of them is to use DV certs instead of EV certs. You can get rid of one of them by enabling OCSP stapling on the server.
Hi dfavor #3 is actually our main content download.
Also we are set up for HTTP/2. You can confirm this by entering the site at HTTP/2 Test - Verify HTTP/2 Support | KeyCDN Tools
Getting off NGINX is not a decision we can take lightly. Do you have some more info/references on why Apache+http/2 is better than nginx+http/2?