1

Hi i have some content security policy like this:

<meta http-equiv="content-security-policy" content="default-src 'self';
    script-src 'self' 'nonce-MhqUJrKKq9' https://ajax.googleapis.com/ajax/libs/webfont/1.6.16/webfont.js;
    style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/; font-src 'self' https://fonts.gstatic.com/;
    object-src 'none'; base-uri 'none';">

I was try to allow a google fonts, but it give me this error:

webfont.js:17 Refused to load the stylesheet 'http://fonts.googleapis.com/css?family=Poppins:300,400,500,600,700%7CRoboto:300,400,500,600,700' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/".

so what can caused this error? i though i already exclude it from my policy.

4

1 回答 1

1

试试没有 https 的谷歌字体,http://fonts.googleapis.com/css?family=Poppins :300,400,500,600,700%7CRoboto:300,400,500,600,700%27

于 2018-06-30T16:52:32.723 回答