Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Chrome Throwing Content Security Policy Error on Google Fonts

I've added the Google fonts URL to the font-src directive of my Content-Security-Policy header. I'm getting the following error in Chrome 42:

Refused to load the stylesheet 'http://fonts.googleapis.com/css?
family=Open+Sans:300,400,400italic,600,800|Source+Code+Pro' because it violates the
following Content Security Policy directive: "style-src 'self' 'unsafe-inline'".

My header field looks like this:

Content-Security-Policy: default-src 'self'; font-src http://fonts.googleapis.com;
style-src 'self' 'unsafe-inline'
like image 541
StormyKnight Avatar asked Jan 15 '15 23:01

StormyKnight


People also ask

Why is Google Font not working?

Potential Cause. There is an error in the API URL, or a style that is not supported by the font has been requested.

What is a potential drawback of using Google fonts?

They only work on certain email clients: iOS Mail, Mail. app, Lotus Notes 8, default Mail on Android, Outlook 2000, and Thunderbird.

Is it safe to use Google fonts?

Yes, you can use them commercially, and even include them within a product that is sold commercially. Usage and redistribution conditions are specified in the license. The most common license is the SIL Open Font License.


1 Answers

The problem is that links to http://fonts.googleapis.com return stylesheets, not fonts. If you examine the stylesheet it pulls in you'll find several @font-face rules that pull fonts from http://fonts.gstatic.com.

To make this work properly, your Content-Security-Policy header should look something like:

Content-Security-Policy: default-src 'self'; font-src http://fonts.gstatic.com; 
style-src 'self' 'unsafe-inline' http://fonts.googleapis.com
like image 142
StormyKnight Avatar answered Sep 16 '22 13:09

StormyKnight