Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Content-Security-Policy incompatibilities

See original GitHub issue

I have defined the following CSP

Header always set Content-Security-Policy "default-src 'none' ; base-uri 'self'; connect-src 'self'; form-action 'self' ; frame-ancestors 'self' ; script-src 'self' 'unsafe-inline' ; object-src 'none' ; style-src 'self' 'unsafe-inline' ; img-src 'self' ; font-src 'self' ; worker-src 'self' "

The browser (Chromium) displays the following error:

Refused to load the font 'data:application/octet-stream;base64,d09GRgABAAAAAEEYAA8AAAAAeBQAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAABHU1VCAAABWAAAADsAAABUIIslek9TLzIAAAGUAAAAQwAAAFY+L1L9Y21hcAAAAdgAAAJPAAAF5oRYnGZjdnQgAAAEKAAAABMAAAAgBtX+5mZwZ20AAAQ8AAAFkAAAC3CKkZBZZ2FzcAAACcwAAAAIAAAACAAAABBnbHlmAAAJ1AAAMd0AAFv8cFA8X2hlYWQAADu0AAAAMwAAADYPx60EaGhlYQAAO+gAAAAgAAAAJAd1A9ZobXR4AAA8CAAAAHMAAAEc9cH/zWxvY2EAADx8AAAAkAAAAJDjAPw+bWF4cAAAPQwAAAAgAAAAIAG+DbBuYW1lAAA9LAAAAXcAAALNzJ0dH3Bvc3QAAD6kAAAB9QAAA29YoVQHcHJlcAAAQJwAAAB6AAAAhuVBK7x4nGNgZGBg4GIwYL...TzvOC6Z+7wkIvyKC20ppVmoorVz6aQVEVczEWjwzkXhzRS1JIOVc2qHRd3XdxzcT/hrDrK6bHuG3mqr4TUqQ25JRA71NTjTm5ectGQzIv2ibGizLVZ4DV5CiQpqjmnZnTggV2QrR1xNkw37PGVRFNpPCj42on1puk/mZU+9j53paxTYHuxZcOqVdaxcomTURVLS2j8N7Gkhi41k6Y1+oNtZ/1hszw0NJt6spna/mRTr51KuNHaFHOazJiRXJNZ6kArJBk4RI9Lyrd9V7RU1oJV2rfY0gxmDq7fmK8XDWHCwxUjVPiVpSA0VtwUpArVwjAYudjRCd2DC4LfY14JmgAAAHicY/DewXAiKGIjI2Nf5AbGnRwMHAzJBRsZWJ02MTAyaIEYm7mYGDkgLD4GMIvNaRfTAaA0J5DN7rSLwQHCZmZw2ajC2BEYscGhI2Ijc4rLRjUQbxdHAwMji0NHckgESEkkEGzmYWLk0drB+L91A0vvRiYGFwAMdiP0AAA=' because it violates the following Content Security Policy directive: "font-src 'self' ".

ifm.php:1 Refused to load the font 'data:application/octet-stream;base64,AAEAAAAPAIAAAwBwR1NVQiCLJXoAAAD8AAAAVE9TLzI+L1L9AAABUAAAAFZjbWFwhFicZgAAAagAAAXmY3Z0IAbV/uYAAGv8AAAAIGZwZ22KkZBZAABsHAAAC3BnYXNwAAAAEAAAa/QAAAAIZ2x5ZnBQPF8AAAeQAABb/GhlYWQPx60EAABjjAAAADZoaGVhB3UD1gAAY8QAAAAkaG10ePXB/80AAGPoAAABHGxvY2HjAPw+AABlBAAAAJBtYXhwAb4NsAAAZZQAAAAgbmFtZcydHR8AAGW0AAACzXBvc3RYoVQHAABohAAAA29wcmVw5UErvAAAd4wAAACGAAEAAAAKADAAPgACREZMVAAObGF0bgAaAAQAAAAAAAAAAQAAAAQAAAAAAAAAAQAAAAFsaWdhAAgAAAABAAAAAQAEAAQAAAABAAgAAQAGAAAAAQAAAAEDdgGQAAUAAAJ6ArwAAACMAn...EBQystsF4ssgAAPystsF8ssgABPystsGAssgEAPystsGEssgEBPystsGIssDcrLrErARQrLbBjLLA3K7A7Ky2wZCywNyuwPCstsGUssAAWsDcrsD0rLbBmLLA4Ky6xKwEUKy2wZyywOCuwOystsGgssDgrsDwrLbBpLLA4K7A9Ky2waiywOSsusSsBFCstsGsssDkrsDsrLbBsLLA5K7A8Ky2wbSywOSuwPSstsG4ssDorLrErARQrLbBvLLA6K7A7Ky2wcCywOiuwPCstsHEssDorsD0rLbByLLMJBAIDRVghGyMhWUIrsAhlsAMkUHiwARUwLQBLuADIUlixAQGOWbABuQgACABjcLEABUKyAAEAKrEABUKzCgIBCCqxAAVCsw4AAQgqsQAGQroCwAABAAkqsQAHQroAQAABAAkqsQMARLEkAYhRWLBAiFixA2REsSYBiFFYugiAAAEEQIhjVFixAwBEWVlZWbMMAgEMKrgB/4WwBI2xAgBEAAA=' because it violates the following Content Security Policy directive: "font-src 'self' ".

Wouldn’t be possible to have these fonts as files?

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
j75commented, Nov 12, 2020

‘self’ already existed - but data: has solved my problems !

Thanks again!

0reactions
misterunknowncommented, Nov 12, 2020

Hm, yeah, obviously the CDN version does not work because the relevant URLs are not present within the CSP header.

I’m not sure why the adjustment of font-src in the CSP header (adding unsafe-inline) does not work. Maybe you have to add 'self' instead of 'unsafe-inline'.

This comment suggests that you can add the data: scheme, so fonts can be loaded.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Content Security Policy (CSP) - HTTP - MDN Web Docs
Chrome Edge Content‑Security‑Policy Full support. Chrome25. more. Toggle history Full sup... base‑uri Full support. Chrome40. Toggle history Full sup... block‑all‑mixed‑content. Deprecated Full support. ChromeYes. Toggle history...
Read more >
Content-Security-Policy Compatibility - Jenkins
This guide documents how to identify components that will be incompatible with CSP rules and how to write and adapt UI code in...
Read more >
"content security policy" | Can I use... Support tables ... - CanIUse
Content Security Policy 1.0. - CR. Mitigate cross-site scripting attacks by only allowing certain sources of script, style, and other resources.
Read more >
The negative impact of incorrect CSP implementations - Invicti
Content Security Policy (CSP) is an effective client-side security measure that is designed to prevent vulnerabilities such as Cross-Site ...
Read more >
Browser compatibility issues with content-security-policy
I'm supporting a legacy asp.net portal which has inline scripts and css in it. We are using content-security-policy custom header with ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Moving FsExcel to a gdiplus-free ClosedXML alternative

Next page

can't download zip archive