I've added the Google fonts URL to the font-src directive of my Content-Security-Policy header. I'm getting the following error in Chrome 42:
Refused to load the stylesheet 'http://fonts.googleapis.com/css?
family=Open+Sans:300,400,400italic,600,800|Source+Code+Pro' because it violates the
following Content Security Policy directive: "style-src 'self' 'unsafe-inline'".
My header field looks like this:
Content-Security-Policy: default-src 'self'; font-src http://fonts.googleapis.com;
style-src 'self' 'unsafe-inline'
Potential Cause. There is an error in the API URL, or a style that is not supported by the font has been requested.
They only work on certain email clients: iOS Mail, Mail. app, Lotus Notes 8, default Mail on Android, Outlook 2000, and Thunderbird.
Yes, you can use them commercially, and even include them within a product that is sold commercially. Usage and redistribution conditions are specified in the license. The most common license is the SIL Open Font License.
The problem is that links to http://fonts.googleapis.com
return stylesheets, not fonts. If you examine the stylesheet it pulls in you'll find several @font-face rules that pull fonts from http://fonts.gstatic.com
.
To make this work properly, your Content-Security-Policy header should look something like:
Content-Security-Policy: default-src 'self'; font-src http://fonts.gstatic.com;
style-src 'self' 'unsafe-inline' http://fonts.googleapis.com
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With