Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

"[Report Only] Refused to load the font..." error message on console

Tags:

More specifically:

[Report Only] Refused to load the font 'data:application/x-font-woff;charset=utf-8;base64,d09GRgABAAAAABBQAAoAAAAAG…H8zVsjnmMx0GcZ2HGViNOySWEa9fvEQtW43Nm+EOO0ZIpdLbMXoVzPJkcfHT6U+gLEpz/MAAAA' because it violates the following Content Security Policy directive: "font-src 'self'".

this is my contentSecurityPolicy object at environment.js:

contentSecurityPolicy: {
  'default-src': "'none'",
  'script-src': "'self' 'unsafe-inline' 'unsafe-eval' connect.facebook.net",
  'connect-src': "'self'",
  'img-src': "'self' www.facebook.com",
  'style-src': "'self' 'unsafe-inline'",
  'frame-src': "s-static.ak.facebook.com static.ak.facebook.com www.facebook.com",
  'report-uri': "http://localhost:4200"
},

Is there anything wrong?

like image 284
Gustavo Siqueira Avatar asked Oct 26 '14 11:10

Gustavo Siqueira


2 Answers

Add 'font-src': "data:", to whitelist the font being loaded.

like image 104
oreoshake Avatar answered Oct 02 '22 23:10

oreoshake


I have been spending quite some time trying to figure out why the built version of my polymer code was violating my CSP in firefox and safari (works in chrome) and it turns out as polymer components contain inline scripts they can cause CSP issues that are not resolved using 'unsafe-inline' & 'unsafe-eval' headers for firefox and safari, however if for your script CSP you include data: this will allow the inline scripts that are compiled during the polymer build to run on your web app without violating the CSP. Thought I would share here as this answer helped me resolve my issue.

like image 45
dwelby101 Avatar answered Oct 02 '22 21:10

dwelby101