Having the same problem as this guy but am not using .NET so I don't know what the answer to this problem is. I am using Electron.

<head>
<meta http-equiv="Content-Security-Policy" content="style-src-elem 'self' https://fonts.googleapis.com">

<meta http-equiv="Content-Security-Policy" content="font-src https://fonts.gstatic.com">

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

<meta charset="UTF-8">

<link rel="preconnect" href="https://fonts.gstatic.com">
<link href="https://fonts.googleapis.com/css2?family=Poppins:wght@300&display=swap" rel="stylesheet">

<link rel="stylesheet" href="index.css">
</head>

Here is the error:

Refused to load the stylesheet 'https://fonts.googleapis.com/css2?family=Poppins:wght@300&display=swap' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

The question is here, 'style-src-elem' IS explicitly set. I have no idea what is going on. Please help

Nevermind, figured it out! I thought I could separate the <meta> tags for readability, but it turns out that was not the case. Each <meta> tag was over-writing the previous, leaving everything to check for the last content="default-src 'self'" <meta> tag. Here is the working code for anyone that is having a similar problem:

<head>
    <meta http-equiv="Content-Security-Policy" content="
        default-src 'self';
        style-src-elem 'self' https://fonts.googleapis.com;
        font-src https://fonts.gstatic.com;
    ">

    <meta charset="UTF-8">



    <link rel="preconnect" href="https://fonts.gstatic.com">
    <link href="https://fonts.googleapis.com/css2?family=Poppins:wght@300&display=swap" rel="stylesheet">

    <link rel="stylesheet" href="index.css">
</head>